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                      THURSDAY, SEPTEMBER 11, 2008

                  House of Representatives,
            Subcommittee on Energy and Air Quality,
                          Committee on Energy and Commerce,
                                                    Washington, DC.
    The subcommittee met, pursuant to call, at 11:10 a.m., in 
room 2322 of the Rayburn House Office Building, Hon. Rick 
Boucher (chairman) presiding.
    Members present: Representatives Boucher, Melancon, Barrow, 
Markey, Upton, Shimkus, Walden, Rogers, and Barton (ex 
officio).
    Staff present: John Jimison, Richard Miller, Rachel 
Bleshman, Alex Haurek, David McCarthy, Andrea Spring, and 
Garrett Golding.

  OPENING STATEMENT OF HON. RICK BOUCHER, A REPRESENTATIVE IN 
           CONGRESS FROM THE COMMONWEALTH OF VIRGINIA

    Mr. Boucher. The subcommittee will come to order. This 
morning we are addressing a means of protecting the Nation's 
electricity grid from cybersecurity threats through which 
computer hackers could maliciously gain access by way of the 
Internet to the computers controlling key components of our 
Nation's electricity system and cause either short term system 
outages or more serious permanent system damage.
    No industry is more essential to the Nation's economy than 
is our electricity sector, and its protection is vital to both 
our economic security and to our national security. The 
Nation's electricity system consists of generators and regional 
networks of interconnected transmission lines. The controls 
which operate the grid and electricity generators attached to 
it are increasingly computer-connected to the Internet.
    In fact, increasing the degree of interactive grid 
computerization is a major element of the development of a 
smart grid which will improve system reliability, optimize 
generation, promote load balance, improve consumption 
management, and integrate new smart appliances and equipment. 
But with increased reliance on interactive digital technology 
comes the added risk of computer hackers entering the system 
and causing truly extensive damage.
    The Idaho National Laboratory conducted tests using the 
code name Aurora, demonstrating that standard utility control 
systems could be penetrated and adversely affected through 
unauthorized computer access. This demonstration showed that a 
cyber intruder could manipulate the control systems of a 
generation facility resulting in massive physical damage that 
could take months to repair.
    Cyber attacks on electricity systems have occurred in a 
number of nations, and the Federal Energy Regulatory Commission 
reports 20 documented cases where hackers have penetrated 
networks and were able to affect controls on dams, on a nuclear 
reactor, and have disabled backup generation and shut down 
power plants. The Defense Science Board reports that U.S. grid 
control systems are continuously probed electronically, and 
while none has yet been the subject of major damage or grid 
outages in the United States, cyber attacks have caused major 
grid outages in other nations.
    In 2007, the Department of Homeland Security notified the 
North American Electricity Reliability Corporation, known as 
NERC, of the Aurora vulnerability demonstrated by the Idaho 
National Laboratory. Based on this notification, the NERC 
issued an advisory to 1,800 owners and operators of facilities 
associated with our Nation's power grid and provided a 60-day 
schedule for immediate mitigation measures as well as longer 
term measures that would be implemented over a 180-day period.
    But compliance with this advisory recommendation was 
entirely voluntary by these 1,800 owners of facilities that are 
components of the national grid. The Federal Energy Regulatory 
Commission recently audited compliance with the advisory issued 
by the NERC and conducted that audit among 30 utilities. It 
found that of the 30 audited, 23 were not in compliance with 
the NERC advisory. One utility reportedly had a 10-year 
compliance schedule, notwithstanding the fact that 180 days was 
the outer limit for compliance in the NERC advisory.
    Another utility had never changed the factory-installed 
user names and passwords on its computers controlling its 
systems, and it was therefore clear that self-interest alone 
was not a sufficient motivation to mitigate the Aurora 
vulnerability.
    Based on the documented threat to the electricity system 
and on the noncompliance with voluntary measures which the 
audit revealed, the FERC, along with the U.S. Department of 
Energy and the Department of Defense, have identified an urgent 
need for legislative authority to allow the federal government 
to compel implementation of the measures to respond to the 
cybersecurity threat to our Nation's electricity grid.
    In response to that need, this subcommittee, on a 
bipartisan basis, has developed a bipartisan discussion draft. 
It requires the FERC to undertake a rulemaking to determine 
what measures or actions should be required to protect the bulk 
power system against vulnerabilities and then provides the FERC 
with the authority to enforce the rule once adopted.
    In addition, the FERC would be granted authority to issue 
such emergency orders as it deems necessary to protect the 
reliability of the bulk power system with regard to potential 
new cybersecurity emergencies not identified in the original 
rule, which are judged to be imminent threats under 
presidential declaration.
    While the discussion draft represents an outstanding 
bipartisan step toward enactment of the necessary federal 
legislation, several questions do remain open, and these 
questions will be addressed by our witnesses this morning. The 
outstanding issues include whether any legislation should be 
limited to cybersecurity threats alone or whether a grant of 
authority to address physical attacks on the grid should also 
be included.
    Another open issue is the exact wording of the specific 
definition of cybersecurity threat. A third open issue is the 
set of circumstances under which interim measures may be 
discontinued once they are activated. And finally the scope of 
the bill with regard to whether it includes entities not 
technically within our bulk power system, such as the 
electricity systems of the States of Hawaii and Alaska, the 
territory of Guam, and also core distribution facilities for 
electricity in some of our major cities such as New York City 
and Washington, D.C. And we will hear from our witnesses with 
regard to their sometimes contrasting views on these 
outstanding issues.
    Today's hearing will feature expert witnesses who will 
present information on both the potential threat of 
cybersecurity attacks against the electricity system and also 
the appropriate legislative response that we should be making 
to guard against those threats.
    I want to commend the staff on a bipartisan basis for the 
outstanding work that they have done during the August recess 
on this matter. The staff on both sides of the aisle have 
participated together in obtaining briefings from the agencies 
I have identified in this statement. They have participated 
together in constructing the legislative draft that is the 
subject of our hearing this morning, the discussion draft. And 
I want to commend them for doing that at a time when Congress 
was not here and when they were busily at work attending to 
this urgent business.
    I also want to say thank you to the ranking member of this 
subcommittee, Mr. Upton from Michigan, for his outstanding 
efforts and for that of his staff. He and I have had 
discussions with regard to this matter. We are participating 
jointly in the exercise to move our discussion draft to final 
legislation and to markup. Hopefully that will occur perhaps 
within the course of the coming week.
    And that partnership is a reflection of how this 
subcommittee and our full committee operate when it is at its 
best, and that is working in a bipartisan fashion to produce 
consensus solutions to the major problems that confront us. 
Nowhere has that effort been better reflected than in the work 
that has been done over August and that we continue here this 
morning.
    [Discussion draft follows:]
    





    Mr. Boucher. And at this time, I am pleased to recognize 
the ranking Republican on the Energy and Air Quality 
Subcommittee, Mr. Upton of Michigan, for his remarks.

   OPENING STATEMENT OF HON. FRED UPTON, A REPRESENTATIVE IN 
              CONGRESS FROM THE STATE OF MICHIGAN

    Mr. Upton. Well, thank you, and I do want to thank you and 
the staff on both sides. This is a very important hearing, an 
issue that we need to deal with. I appreciate our witnesses 
joining us this morning as well.
    Many of us know that the House Homeland Security Committee 
has examined the issue. They have focused on a vulnerability in 
electric generator control systems, which could allow remote 
access, enabling a bad actor or terrorist to remotely destroy a 
generator.
    And today we are going to follow up on those hearings and 
seek additional answers with a focus on the most productive way 
to ensure the security of our energy infrastructure. Members of 
this committee will follow up next week with a classified 
briefing on the topic as well. And following that briefing, I 
know that we can work together on bipartisan legislation. I 
would commend both Mr. Dingell, Mr. Barton in their efforts to 
that end.
    Major questions do need to be addressed. Is there an actual 
threat capable of causing catastrophic damage? Is there a 
regulatory gap that needs to be filled? Which agency should 
take the lead? And I hope that our witnesses will help address 
those questions today.
    Security of our Nation's energy infrastructure from attack 
is one of these most important issues that our committee will 
address. This is not an issue that we can take lightly or cover 
it up in just one hearing. Energy has been one of the leading 
issues debated in the Congress this year and rightfully so. 
Energy literally powers our economy. Even small price spikes in 
supply disruptions can have a large, important economic impact. 
It is imperative that the security of our Nation's energy 
infrastructure gets the attention that it deserves.
    I look forward to working with all my colleagues to address 
this in a most beneficial way. And, Mr. Chairman, I would yield 
back the balance of my time.
    Mr. Boucher. Well, thank you very much, Mr. Upton. And 
again I thank you for the outstanding cooperation you and your 
staff have provided on this matter. The gentleman from 
Massachusetts, Mr. Markey, is recognized for 3 minutes for an 
opening statement.

OPENING STATEMENT OF HON. EDWARD J. MARKEY, A REPRESENTATIVE IN 
        CONGRESS FROM THE COMMONWEALTH OF MASSACHUSETTS

    Mr. Markey. Thank you, Chairman Boucher, for holding this 
important hearing today and having it on 9/11, the seventh 
anniversary of that horrific event. It serves as a stark 
reminder that addressing the vulnerability of cyber threats is 
long overdue.
    We have seen the reality of these incidents in various 
settings over the years, including the slammer worm at the 
Davis Besse Nuclear Power Plant and the Aurora vulnerability 
exposed at the Idaho National Laboratory. We know that this 
threat is real. We also know the impacts are real and 
potentially devastating.
    The Northeast blackout in 2003, when an estimated 50 
million people lost electricity, is estimated to have cost up 
to $10 billion and eight lives. And we also know the impacts of 
these events are the same regardless of whether the incident is 
caused by someone who wants to do us harm or someone who simply 
doesn't know they are about to.
    But this hearing is timely for other reasons as well. This 
Nation is finally, after years of control and of pocket padding 
by the oil industry, gathering the momentum to transition away 
from a dependence on foreign oil. It is a long overdue 
transition, and every day that we wait to rechart our course is 
a lost day. Based on the knowledge we have gained through hours 
of hearings in Congress, we know that the grid stands as one of 
the best and most immediate solutions to this crisis. With the 
surge in interest in alternative energy sources tapping into 
the grid and the increasing use and promise of electric 
vehicles, the grid is vital to our move towards energy 
independence. But it can only serve in this critical role if it 
is protected as a crucial asset.
    Fundamental changes to the structure of our grid could also 
eliminate or reduce cyber threats or diminish the harm 
resulting from them. Features offered through the developing 
smart grid technology, for example, could be used to reduce 
this threat and better position our response to such an event 
should such a cyber attack occur. Likewise, more distributed 
generation could conceivably reduce the extent of the impacts 
of a cyber attack.
    I thank you, Chairman Boucher, for having this hearing. It 
is obvious that the technologies that affect the two wires or 
the three wires that go into everyone's home, the cable, the 
phone company, and the electric company are now all merging in 
terms of the technologies. And one can help the other, and the 
other can help the one as we learn how to use technology, both 
to advance our energy independence agenda and at the same time, 
ensure that we are being protected from homeland security 
threats.
    So I thank you for being here. I see Jim Langevin down 
there, my good friend. We welcome you here as well, and I yield 
back the balance of my time.
    Mr. Boucher. I thank you very much, Mr. Markey, and, as you 
have noted, this issue is at the focal point of several issues 
in which you and I have a common interest, and that is 
information technology policy as well as energy policy. And I 
very much welcome your remarks today. The gentleman from Texas, 
Mr. Barton, the ranking Republican member of the full 
committee, is recognized for 5 minutes.

   OPENING STATEMENT OF HON. JOE BARTON, A REPRESENTATIVE IN 
                CONGRESS FROM THE STATE OF TEXAS

    Mr. Barton. Thank you, Mr. Chairman. I just returned from 
the 9/11 ceremony out at the Pentagon. There couldn't be a 
better time to hold this hearing on cybersecurity. As we 
memorialize those brave men and women who gave their lives on 
September 11, both at the Pentagon and at the World Trade 
Center and in the fields of Pennsylvania, we have a real threat 
against the United States of America.
    It is not going away, and we need to defend ourselves 
against it, both militarily, and as this hearing is going to 
show, electronically in terms of protecting the power grid that 
provides electricity for our great Nation.
    I think we have a lot to learn in this area because the 
whole idea of a cyber attack is something that is, quite 
frankly, somewhat foreign to most of us, myself included. We 
have some feeling for the physical attacks which we have seen 
against our Nation time after time. But this is a new type of 
attack.
    What are the vulnerabilities? Is our electricity grid 
adequately protected? Will a one-time cyber reliability rule 
solve the problem, or do we have to have redundant systems and 
change those over time to upgrade against the continually 
changing threat? What are the consequences of a cyber attack if 
successful? Is it a matter of losing power in a certain region 
for a few hours? Is it a matter of destroying critical 
equipment, or is it a matter of losing power all over our great 
Nation for long periods of time? We simply don't know.
    Should the government write cybersecurity standards in this 
case, the Federal Energy Regulatory Commission, because under 
current law, the North American Electric Reliability 
Corporation, or Council, is simply too slow? If so, where 
should we draw the line? Do we address the bulk power system? 
What about military installations? What about local 
distribution systems? What about rural electric co-ops within 
single state boundaries? How do we do those?
    What about Canada and Mexico? What are their views giving 
the FERC authority for the first time to coordinate and 
regulate with these nations that aren't within our own 
boundaries? Can we enforce such regulations if we agree that 
they are in the interest of these three nations? What about the 
views of the Defense Department and the National Security 
Council? What do they think about giving FERC the authority 
that we are thinking about giving them?
    Whatever we do in this subcommittee and next week in the 
full committee, this is certainly an issue that needs to be 
addressed, and I want to commend you, Mr. Chairman, for 
addressing it. I want to welcome our witnesses today. The 
distinguished subcommittee chairman of the Homeland Security 
Committee, the distinguished chairman of the Federal Energy 
Regulatory Committee Commission and the other witnesses.
    I do want to say one thing, Mr. Chairman, before I yield 
back. It was my understanding that Mr. Kelliher was going to be 
on a panel by himself. I see that you have him listed on a 
panel with non-elected officials. I think that is unacceptable. 
If I had known that was the way it was going to be, I would 
have objected strenuously. So I hope that before you actually 
begin the hearing, you will give a presidential appointee the 
courtesy that we have always given other appointees, and that 
is to testify by himself or herself.
    Mr. Boucher. Would the gentleman yield?
    Mr. Barton. Sure.
    Mr. Boucher. I thank the gentleman for making those remarks 
and comments, and would advise him that in the interest of 
time, Mr. Kelliher has graciously agreed to be a part of the 
second panel; although, he will be the first witness on that 
panel. Given the fact that we had the memorial today at the 
Pentagon this morning, and there is a subsequent one involving 
the House of Representatives at 11:45 and the urgency of 
addressing this issue, this was the only morning we could do 
it.
    And given that urgency, Mr. Kelliher has graciously agreed 
to help us expedite our proceedings by allowing us just to have 
one panel of witnesses following the statement that Mr. 
Langevin will make. And I thank him for that and----
    Mr. Barton. It is not----
    Mr. Boucher. Otherwise, I can assure the gentleman that we 
would have done as he suggests.
    Mr. Barton. Well, I appreciate the gentleman's--the 
chairman's explanation. With that, Mr. Chairman, I yield back.
    Mr. Boucher. Thank you very much, Mr. Barton. The gentleman 
from Louisiana, Mr. Melancon, is recognized for 3 minutes. Mr. 
Melancon waives his opening statement and will have 3 minutes 
added to his questioning time for the second panel of 
witnesses. The gentleman from Michigan, Mr. Rogers, is 
recognized for 3 minutes.

  OPENING STATEMENT OF HON. MIKE ROGERS, A REPRESENTATIVE IN 
              CONGRESS FROM THE STATE OF MICHIGAN

    Mr. Rogers. Thank you, Mr. Chairman. I happen to serve on 
the Intelligence Committee with Mr. Langevin, and so I am at 
least glad that he is paying attention to this because I think 
he will bring a good perspective from that side of the House. 
And I am not sure sometimes if it is a benefit or a hindrance 
being on that committee.
    And today, I am not sure either because I worry a little 
bit about the speed at which we are working here. We watched 
through the creation of the Director of National Intelligence 
that we were trying to coordinate our activities and our 
resources. And in a bipartisan way in this Congress we said 
slow down.
    The exponential growth was not necessarily serving the 
interests of national security. And our cyber infrastructure 
goes well beyond the grid. The grid is an incredibly important 
part of that protection and security apparatus, but it is a 
part of that.
    And we have lots of talent and lots of resources spread 
across the 16 intelligence agencies and Department of Defense, 
who have spent some serious amount of time and accumulated 
intellectual capital necessary to defeat what we know is a 
growing threat. And it is from terrorist organizations. It is 
from extortionists. It is joy riders on the superhighway, if 
you will, and it is certainly and very worrisome more 
aggressive by nation-states. And we see all of that activity 
growing exponentially. So the threat is very, very real.
    But my concern is we are doing a ready, shoot, aim approach 
to how we are going to solve this problem because what we are 
going to do, even if you give authorities, with that will go 
people and resources. And then they have to go back and try to 
find integration with the very organizations I just mentioned 
before.
    I am not sure that that is the right way to get where we 
want to go, and I want to commend all of you for working on 
this. I think it is a very, very important issue, and it is a 
serious issue. But I don't think creating a separate group 
through separate authorization is likely to get where we want 
to go in a timely manner.
    We have resources. We have coordination efforts already 
that we are trying to work through, and I think Mr. Langevin is 
certainly aware of those. And I am not sure this helps it. 
Matter of fact, in some cases, I think it might actually hinder 
it. So I hope that we take our time and slow down a little bit. 
I think it is great that we highlight the problem, but the fact 
that we don't have representation from Department of Defense, 
from the National Security Council, from the intelligence 
community, quite frankly from the DNI. I think the DNI should--
these are exactly the issues of which the director of national 
intelligence by this Congress was designated to help us move 
through some of these integrated policy issues where there is a 
cross spectrum of resources.
    So again I hope the hearing is for informational purposes. 
I would not be in a hurry, Mr. Chairman, to pass a bill and 
move it through the House without the full cooperation and 
coordination of those resources. I think it would be critical 
to the end here that we do this correctly.
    Mr. Boucher. Would the gentleman yield?
    Mr. Rogers. Absolutely. Yes, sir.
    Mr. Boucher. I thank the gentleman for those remarks, and I 
agree with the gentleman completely. There is a great sense of 
urgency that we address this need, as our witnesses will tell 
us this morning. On a bipartisan basis, we have constructed a 
discussion draft which addresses the core concerns that have 
been brought to us. There are some open issues which I have 
identified. They will be discussed here as well this morning.
    We invited the Department of Defense to send a witness to 
address the subcommittee this morning, and the Department of 
Defense declined to do that. I can tell the gentleman that we 
do intend to have a classified briefing for the--an opportunity 
offered to members for a classified briefing next week, and the 
Central Intelligence Agency. And the director of Central 
Intelligence will be a part of that briefing. And so the 
gentleman's request will be honored.
    I can tell him also that we intend to go through regular 
order in processing this legislation. Assuming that we are in a 
position to resolve the outstanding issues, and I very much 
hope that we will be, we would like to move to a markup next 
week. That would be after the classified briefing takes place.
    If the issues are resolved to the satisfaction of members, 
I see no reason why we shouldn't do that, given the urgency 
that exists. And then hopefully we can move to the full 
committee rapidly after that and then to the House floor. But I 
respect what the gentleman is saying, and he has expressed my 
view as well that we need to be very careful as we construct 
this measure. And we certainly intend to be.
    Mr. Upton. And if the gentleman will just yield. I have had 
some discussions with the chairman, Chairman Boucher, on this 
issue, and I agree that we ought to have regular order here. 
There are a number of witnesses that are not on the list that 
ought to be here. Just looking at the brief presentation that 
CNN made on the air I want to say it was last year, there are a 
number of folks, Homeland Security agency and others, that 
really ought to be represented.
    We need to do this right. It is critical. I don't have the 
luxury as you have, serving on the Intelligence Committee, Mr. 
Langevin and others. And as we are prepared to make sure that 
this is our level best, we have to have that input which is one 
of the reasons why the chairman and I thought it would be wise 
to have a classified briefing at the earliest moment which is, 
since we don't have votes tomorrow until Monday afternoon, 
Tuesday morning was the earliest time that we could do that to 
afford all members on both sides of the aisle to be able to ask 
questions in a private way.
    It will lend us a better understanding of the way that we 
should proceed and do it in the right course.
    Mr. Rogers. And I commend you for having that classified 
briefing. I think hopefully that will give us a different look 
at it, and I would understand why DOD might have a hard time 
here. Some of the things that our communities are working on 
are very, very sensitive.
    And because of the aggressive state of nation-states 
involved in cyber espionage and cyber terrorism, I can 
understand why they might have some reluctance to come here and 
not be able to answer questions. It puts it in an awkward 
place. So I hope that we take the time to see with this 
classified briefing.
    And I think it might help us all understand how yes, it is 
important, but it is more important that we do it right than we 
do something.
    Mr. Upton. That is right. And your attendance there will 
help all of us in terms of what you have been able to go 
through because of your experience on the Intelligence 
Committee.
    Mr. Boucher. I thank the gentleman for his contributions 
this morning. The gentleman from Oregon, Mr. Walden, is 
recognized for 3 minutes.
    Mr. Walden. Mr. Chairman, I will waive an opening 
statement. Thank you, sir.
    Mr. Boucher. Thank you very much, Mr. Walden. We now 
welcome our first witness this morning, the Honorable Jim 
Langevin from Rhode Island, and we appreciate very much your 
attendance here. Mr. Langevin is the chairman of the 
Subcommittee on Emerging Threat, Cybersecurity, and Science and 
Technology of the Committee on Homeland Security, and I know 
from my discussions with him, has been actively involved in 
examining the question of cybersecurity for his tenure of 
chairman of that subcommittee. And he has much useful 
information he can share with us this morning.
    So, Jim, we welcome you, and your prepared statement will 
be made a part of the record. And we would welcome your oral 
remarks.

   STATEMENT OF JAMES R. LANGEVIN, CHAIRMAN, SUBCOMMITTEE ON 
 EMERGING THREATS, CYBERSECURITY, AND SCIENCE AND TECHNOLOGY, 
                 COMMITTEE ON HOMELAND SECURITY

    Mr. Langevin. Thank you, Mr. Chairman, and good morning. I 
would like to thank Chairman Boucher for his invitation to 
testify on this critical----
    Mr. Boucher. If you could move that microphone a little bit 
closer and be sure it is on, that would help us in hearing you. 
Thank you.
    Mr. Langevin. Is that better?
    Mr. Boucher. That is better.
    Mr. Langevin. Very good. I want to thank Chairman Boucher 
for his invitation to testify on this critical issue of 
national security. I very much appreciate the chairman's 
interest and that of Ranking Member Upton, and your interest in 
cybersecurity relates to the electric grid. And I commend both 
these gentlemen, the full committee, and its staff for their 
efforts in this area.
    I would also like to thank Chairman Thompson of the 
Homeland Security Committee for his proactive leadership on 
these issues as well.
    Mr. Chairman, as you mentioned, I chair the Emerging 
Threat, Cybersecurity, and Science and Technology Subcommittee 
for the Homeland Security Committee where I have conducted 
eight hearings and dozens of investigations on cybersecurity 
issues during the 110th Congress. I am also a member of the 
House Permanent Subcommittee on Intelligence, and I co-chair 
the Center for Strategic and International Studies Commission 
on Cybersecurity for the 44th Presidency.
    Each of these positions has afforded me the opportunity to 
examine the issues that are before this committee today. Now, I 
want to clearly state that I believe America is disturbingly 
vulnerable to a cyber attack against the electric grid that 
could cause significant consequences to our Nation's critical 
infrastructure.
    Virtually every expert I have consulted shares this 
assessment. Though I cannot provide classified details at this 
hearing, I hope that my testimony will support this assertion, 
encourage you to act on this legislation.
    The effective functioning of the bulk power system is 
highly dependent on control systems, computer-based systems 
used to monitor and control sensitive processes and physical 
functions. Once largely closed to the outside world, control 
systems are increasingly connected to open networks, and the 
risks to these systems is steadily increasing.
    Consider what has happened in the last 5 years. Criminal 
extortion schemes have exploited control systems for economic 
gain. Numerous disruptions from the Davis-Besse Power Plant 
incident in 2003 to the Northeast blackout, to the Browns Ferry 
Nuclear Power Plant failure in 2006 were caused by 
unintentional cyber incidents.
    Furthermore, the U.S. has evidence that Al Qaeda is 
interested in the vulnerabilities of our public and private 
utilities. Additionally, nation-state adversaries have publicly 
stated that attacking our domestic critical infrastructure, 
including the civilian electric grids, will be part of their 
war plans in an engagement with the United States.
    Clearly intentional and unintentional control system 
failures on the BPS can have a potentially devastating impact 
on the economy, public health, and national security of the 
United States. Now, for a society that runs on power, the 
discontinuity of electricity to chemical plants, banks, 
refineries, and water systems presents a terrifying scenario. 
These incidents would also severely impact our war-fighting 
capability as recognized by the Defense Science Board.
    In the interest of national security, we must ensure 
effective and reliable energy flows to America's critical 
infrastructure facilities. With this in mind, my subcommittee 
initiated a review of the Federal Government's efforts and 
ability to ensure the security of the BPS from cyber attack.
    We became particularly concerned about the private sector's 
efforts to mitigate a vulnerability known as Aurora, which the 
chairman mentioned in his opening remarks, which if exploited, 
could result in catastrophic losses of power for long periods 
of time. I was convinced of the seriousness of this 
vulnerability and began doing all I could to ensure that we 
were fixing it.
    In June 2007, the Electric Sector Information Sharing and 
Analysis Center introduced a voluntary mitigation document to 
the industry. During my review of the electric sector 
mitigation efforts, however, it became evident that mitigation 
was highly inconsistent. I was surprised and disturbed to see 
how dismissive many of the companies were of this 
vulnerability, particularly given the significant technical 
evidence backing up the test.
    Even worse, NERC, the private sector reliability 
organization, seemed uninterested in determining the extent of 
industry compliance. NERC provided false, confusing, or 
misleading testimony to my subcommittee during our 
investigation. Now, NERC has since realized their mistakes, 
corrected their testimony, and began demonstrating the 
leadership that we expect. Nevertheless, I am still worried 
about the electric sector's approach towards timely mitigation 
of cybersecurity vulnerabilities.
    Now, in light of this failure of initiative throughout the 
electric sector, my subcommittee made a formal request of FERC 
to investigate the extent to which owners and operators were 
implementing the Aurora mitigation efforts. Thankfully, FERC 
has demonstrated great initiative, and I want to take this 
opportunity to publicly thank Chairman Kelliher and his staff 
for their efforts.
    FERC's initial observations suggest that while no company 
completely ignored the advisory, there were varying degrees of 
compliance. At this time, the subcommittee also requested that 
FERC assess its ability to respond to an imminent cyber attack 
under the current legal authorities contained in section 215 of 
the Federal Power Act. In testimony before the subcommittee on 
May 21, Chairman Kelliher concluded that additional authorities 
are necessary to adequately protect the BPS, and I fully 
support the chairman's conclusion.
    In the interest of national security, a statutory mechanism 
is necessary to protect the grid against cybersecurity threats. 
I congratulate the subcommittee for its legislative initiative, 
and I have several comments on the draft legislation that are 
before us.
    First, emergency standards should become enforceable upon a 
finding by a national security or intelligence agency. I fear 
that additional executive determinations would create 
unnecessary delays in the protections of the BPS.
    Second, FERC should be authorized to act if either one, a 
malicious act is likely to occur, or two, there is a 
substantial possibility of disruption to the grid due to such 
an act. Specific threat information on this subject is 
difficult to come by, and it would be very hard to put together 
likelihood and consequence. We must not limit the ability of 
our federal agencies to act.
    Finally, I am concerned that the current legislation does 
not cover assets that are outside the definition of the bulk 
power system, which, if left unprotected, will keep our Nation 
vulnerable. As the committee is aware, and as the chairman had 
referred to, the Federal Power Act leaves vulnerable Alaska, 
Hawaii, and many other--and many major cities like D.C. and New 
York and the Nation's critical infrastructures like our 
military installations because they don't fall under the 
definition of the BPS.
    Generation, transmission, and distribution must be 
protected under this legislation, and I would ask the committee 
to consider an amendment that would allow FERC to address cyber 
threats against all of these areas.
    Now, in closing, on this day when we vow to be vigilant in 
protecting the country against threats of all kinds, let nobody 
accuse us of having a September 10 mindset when it comes to 
cybersecurity.
    With that, I want to thank you, Mr. Chairman, for allowing 
me the opportunity to testify today, and I look forward to 
answering your questions. Thank you.
    [The prepared statement of Mr. Langevin follows:]





    
    Mr. Boucher. Thank you very much, Mr. Langevin. We 
appreciate that testimony, and your comments this morning will 
prove very helpful to us as we proceed with our work. I do not 
have questions of you, at least not at this time. We may 
consult you as we proceed with further steps in this process, 
but I do not have questions of you at this moment.
    I would ask if there are other members of the panel who 
would care to pose questions to Mr. Langevin. Mr. Upton seeks 
recognition.
    Mr. Upton. I just have one. And, Jim, we appreciate your 
testimony and your work on this for sure. You indicated in your 
statement that you feared that the presidential secretarial 
determination as currently provided in the draft legislation 
would create an unnecessary delay in the protection of the BPS, 
but you have to have a chain of command.
    And one of the issues that may be raised is FERC is 
certainly the appropriate agency overseeing the grid and all of 
that, but shouldn't you have someone at the White House or 
someone at the Pentagon, someone, perhaps the Secretary of 
Energy, someone with direct--not that our good friend Joe 
doesn't have access to folks like that.
    But shouldn't you have some White House command similar to 
what happened on 9/11 when the FAA ruled, because of Secretary 
Menetta, that all the planes were going to stop wherever they 
were. That came in direct consultation with the White House, 
and, bingo, it happened. Shouldn't you have that type of chain 
of control--chain of command as part of the legislation which 
seems to be one of the criticisms that you might have here? Am 
I misreading what your comments were?
    Mr. Langevin. That is true, but certainly the Secretary of 
Homeland Security can be clearly a national emergency----
    Mr. Upton. Yes, that would be appropriate too.
    Mr. Langevin [continuing]. Along these lines. But we have 
to understand that in this day and age of cybersecurity, cyber 
attacks, it is one thing if we had days to go through the 
process of ultimately getting a presidential directive in 
place. But when we have actionable intelligence, these types of 
cyber attacks, cyber threats, could actually come in seconds or 
minutes or hours. And when we have direct actionable 
intelligence, there should be a rapid ability to respond.
    And I am concerned about unnecessary delays. Even if this 
directive authority I am suggesting that FERC would be given 
would be temporary in nature until a more permanent solution 
can be addressed would be fine. But I think that we have to 
recognize in this day and age of cyber, things don't move in 
days or weeks. They move in seconds.
    Mr. Upton. I yield back.
    Mr. Boucher. Thank you very much, Mr. Upton. Mr. Langevin, 
we appreciate your attendance here this morning, and we will 
move now to our second panel of witnesses.
    Mr. Langevin. Thank you, Mr. Chairman.
    Mr. Boucher. We are pleased to welcome on the second panel 
the chairman of the Federal Energy Regulatory Commission, Mr. 
Joe Kelliher; Mr. Kevin Kolevar, the assistant secretary of the 
United States Department of Energy; Mr. Rick Sergel, the 
president of the North American Reliability Corporation; Susan 
Kelly, vice-president and general counsel of the American 
Public Power Association; Steve Naumann, vice-president of the 
Exelon Corporation; and Barry Lawson, manager of power delivery 
for the National Rural Electric Cooperative Association.
    We welcome each of our witnesses and thank you for your 
attendance this morning. And your prepared written statements 
will be made a part of our record. We would welcome your oral 
summaries and ask that in the interest of time, you try to keep 
your oral summaries to approximately 5 minutes.
    We are going to operate slightly out of order this morning 
because both Mr. Kelliher and Mr. Kolevar have expressed a need 
to depart rather quickly in order to attend to some rather 
urgent outside business. And so we are going to take their 
opening statements first. We will ask questions of them, and 
then we will proceed to the opening statements and questions of 
the balance of our witnesses.
    And so with that understanding, Mr. Kelliher, we will be 
happy to hear from you, and then Mr. Kolevar.

    STATEMENT OF JOSEPH KELLIHER, CHAIRMAN, FEDERAL ENERGY 
                     REGULATORY COMMISSION

    Mr. Kelliher. Thank you, Mr. Boucher. Mr. Chairman, Mr. 
Upton, members of the subcommittee, I want to thank you for the 
invitation to testify here today, and I want to say it is good 
to be back before the subcommittee. I appreciate the 
opportunity to discuss the need to improve cybersecurity and to 
protect the reliability of the power grid against cyber attacks 
and other national security threats.
    Three years ago, Congress made FERC responsible for 
protecting the reliability of the power grid by establishing 
and enforcing mandatory reliability standards. Congress 
specifically directed FERC to develop cybersecurity standards 
to protect the grid, and we have done so.
    But I am here today to offer my conclusion that the tools 
you gave us 3 years ago are inadequate to the task and that 
FERC needs additional legal authority to adequately protect the 
grid from cyber attacks and other national security threats.
    There has been much progress made on reliability over the 
past 3 years. FERC has certified an electric reliability 
organization. We have established mandatory reliability 
standards including cyber standards. We are working to improve 
those standards over time to raise the bar, and we have 
established a reliability enforcement regime.
    But the grid remains vulnerable to a cyber attack through 
communication devices that could secure access control and 
remote operation of key components of our electricity system, 
such as large generating facilities, substations, transmission 
lines, and local distribution facilities. And that through 
remote operation, a cyber attack could damage or destroy 
generation in other facilities, and because an attack could 
damage or destroy facilities that could take weeks or longer to 
replace, the effects of a successful cyber attack could be much 
greater than a blackout.
    In my view, an effective defense of the power grid from 
cyber attacks has three necessary elements. First, there is a 
need for timely and effective identification of cyber 
vulnerabilities. Second, there is a need to have an ability to 
require mandatory actions that mitigate those vulnerabilities 
on a timely basis, so action that is both rapid and mandatory. 
And third, the ability to maintain the confidentiality of 
information because current law is inadequate to mount such a 
defense.
    FERC is not a national security or intelligence agency, and 
FERC is not in the best position to identify cyber threats. But 
the U.S. government has the ability to identify cyber threats 
in a timely and effective manner. FERC cooperates with agencies 
that are in that position, including the Department of Energy. 
However, there is no adequate means to take mandatory action in 
a timely manner under existing law.
    Currently, there are two means to protect the power grid 
against cyber attacks. The 215 process established by Congress 
in the Energy Policy Act of 2005 and also NERC advisories. But 
in my view, neither is adequate to defend against cyber 
attacks. The 215 process produces reliability standards that 
are mandatory but untimely given the nature of cyber threats. 
And NERC advisories are timely or can be timely, but they are 
also voluntary. Both approaches fail to protect critical 
information.
    FERC is using and will continue to use the process 
established by 215 of the Federal Power Act to set reliability 
standards including cyber standards. But the principal flaw of 
the 215 process is that it takes too long and does not allow 
for the protection of critical information. Under the normal 
215 process, it typically takes years to develop new and 
modified reliability standards including cyber standards. Even 
reliability standards developed under the urgent action process 
can take months or longer.
    Also FERC cannot modify a proposed standard. We can reject 
or remand or approve and direct changes that will occur over 
time, but if we reject a standard, it just simply reinitiates a 
process that could take months or years.
    Why is there a need for timely action in this area? It is 
simply because the cyber threat is different from other 
reliability threats. The section 215 process was designed 
around a fundamentally different reliability challenge, namely 
vegetation management or tree growth, relay maintenance, grid 
control operations, and operator training. The reliability 
threat posed by trees and poor vegetation management is a 
passive threat, while the threat posed by cyber attacks is 
organized and much more active.
    The nature of the cyber threat is different. It is a 
national security threat that may be posed by foreign countries 
or organized groups. A process designed to guard against poor 
vegetation management is poorly suited to meet national 
security threats. There is another limitation in that section 
215 only authorizes FERC to ultimately establish standards and 
that some cyber threats or other national security threats may 
require action that are not standards.
    NERC advisories also, I think, are an inadequate way to 
ensure or to protect cybersecurity. The principal virtue of a 
NERC advisory is speed, but the principal flaw is that 
compliance with those advisories is voluntary. And there is a 
lack of confidentiality.
    NERC issued an advisory last year in response to the Aurora 
cyber threat, and I commend NERC for acting quickly in response 
to that threat. As detailed in my written testimony, FERC has 
been reviewing the industry response to that advisory. I have 
to say the industry has made progress in response to the NERC 
advisory. I think cybersecurity is higher as a result, but our 
review indicates that the industry response has not mitigated 
the Aurora threat. And to some extent, that response is the 
predictable result of reliance on a voluntary advisory.
    Now, confidentiality. I think it is also clear that an 
effective defense against cyber threats requires 
confidentiality. The standards development process under 
section 215 of the Federal Power Act typically imposes few or 
no restrictions on the dissemination of information related to 
development of new standards including cyber standards. The 
case of cyber vulnerabilities and public release of information 
related to cybersecurity could be very harmful, and that FERC 
currently has very limited authority to limit the public 
dissemination of information.
    So in my view, I think there is a need for legislation. I 
think section 215 of the Federal Power Act is an adequate basis 
to address reliability threats other than national security 
threats, such as cyber attacks. And I, for that reason, do not 
believe that section 215 should be amended.
    But I do believe there is a need for legislation that would 
grant FERC a separate authorization to, number one, immediately 
require measures to address known cyber vulnerabilities, such 
as related to Aurora, and two, require mandatory actions needed 
to protect the power grid from future national security threats 
on an interim basis after a finding by the President or the 
Secretary of Energy.
    I think under this approach, it is clear FERC cannot act 
with respect to future cyber and other national security 
threats without such a finding by the President or the 
Secretary. So I think that it appropriately limits us and 
relies on the superior knowledge of the President and the 
Secretary with respect to national security threats.
    It is also vital that a bill allow FERC to take action 
before a cyber attack and not only after the fact. It is 
critical that the threshold or trigger for a finding by the 
President or the Secretary not be so high as to be 
insurmountable, and I think the trigger in the proposed act 
discussion draft is appropriate.
    There is also a need to address national security threats 
other than cyber, but I want to say I do support the staff 
discussion draft as is. It strikes the right balance, and I 
look forward to working with the subcommittee as you move 
towards markup.
    And I do recognize the Department of Energy has a proposal 
that I think also should be considered as you move to markup in 
coming days.
    In conclusion, you gave us the duty 3 years ago to protect 
reliability of the power grid, to establish and enforce 
reliability standards. We are exercising that duty, but we have 
come to the conclusion that we don't have the right tools to 
address the cyber threat. And the reason is that the nature of 
the threat, the reliability threat to the grid is different 
than perhaps was anticipated 3\1/2\ years ago.
    And so I do ask you to act and legislate, but until and 
unless you do that, FERC and NERC will use existing 
authorities. We will use the tools we have as best we can. And 
with that, I appreciate the opportunity to testify here today.
    [The prepared statement of Mr. Kelliher follows:]

                    Statement of Joseph T. Kelliher

                                Summary

    The Energy Policy Act of 2005 (EPAct 2005) authorized the 
Federal Energy Regulatory Commission to approve and enforce 
mandatory reliability standards, including cyber security 
standards, to protect and improve the reliability of the bulk 
power system. These reliability standards are proposed to the 
Commission by the Electric Reliability Organization (ERO) (the 
North American Electric Reliability Corporation or NERC), after 
an open and inclusive stakeholder process. The Commission 
cannot author the standards or make any modifications, and 
instead must either approve the proposed standards or remand 
them to NERC. FERC is well underway in implementing the new 
law, including now having in place an initial set of cyber 
security standards, for which full compliance is not required 
until 2010.
    Section 215 is an adequate statutory foundation to protect 
the bulk power system against most reliability threats. 
However, the threat of cyber attacks or other intentional 
malicious acts against the electric grid is different. These 
are national security threats that may be posed by foreign 
nations or others intent on attacking the U.S. through its 
electric grid. The nature of the threat stands in stark 
contrast to other major reliability vulnerabilities that have 
caused regional blackouts and reliability failures in the past, 
such as vegetation management and relay maintenance.
    Damage from cyber attacks could be enormous. A coordinated 
attack could affect the electrical grid to a greater extent 
than the August 2003 blackout and cause much more extensive 
damage. Cyber attacks can physically damage the generating 
facilities and other equipment such that restoration of power 
takes weeks or longer, instead of a few hours or days. 
Widespread disruption of electric service can quickly undermine 
our government, military readiness and economy, and endanger 
the health and safety of millions of citizens. Thus, there may 
be a need to act quickly to protect the grid, to act in a 
manner where action is mandatory rather than voluntary, and to 
protect security-sensitive information from public disclosure.
    The Commission's legal authority is inadequate for such 
action. This is true of both cyber and non-cyber threats that 
pose national security concerns. In the case of such threats to 
the electric system, the Commission does not have sufficient 
authority to timely protect the reliability of the system. 
Legislation should be enacted allowing the Commission to act 
promptly to protect against current cyber threats as well as 
future cyber or other national security threats.

                               Testimony

                        Introduction and Summary

    Mr. Chairman and members of the Subcommittee, thank you for 
the opportunity to speak here today about cyber and other 
national security threats to our Nation's electrical grid, and 
the need for legislation allowing the Federal Energy Regulatory 
Commission (FERC or the Commission) to address those threats 
quickly and effectively. I appreciate the Subcommittee's 
attention to this critically important issue.
    The Energy Policy Act of 2005 (EPAct 2005) gave the 
Commission certain responsibilities for overseeing the 
reliability of the bulk power system. The bulk power system is 
defined to include facilities and control systems necessary for 
operating an interconnected transmission network (or any 
portion thereof), and electric energy from generation 
facilities needed to maintain transmission system reliability. 
EPAct 2005 authorized the Commission to approve and enforce 
mandatory reliability standards, including cyber security 
standards, to protect and improve the reliability of the bulk 
power system. Under this framework, reliability standards are 
developed and proposed to the Commission by the Electric 
Reliability Organization (ERO) (the North American Electric 
Reliability Corporation or NERC) through an open and inclusive 
stakeholder process. The Commission cannot author the standards 
or make any modifications, and instead must either approve the 
proposed standards or remand them to NERC. The Commission is 
well underway in implementing the new law, including now having 
in place an initial set of cyber security standards with 
varying implementation dates. Much progress has been made in 
the past 3 years. However, more work needs to be done, both 
with respect to improving those cyber security standards and 
possibly adding new ones.
    In my view, FERC does not have sufficient authority to 
guard against national security threats to reliability of the 
electric system. Legislation should be enacted allowing the 
Commission to act quickly to protect against current cyber 
threats as well as future cyber or other national security 
threats.

                               Background

    In EPAct 2005, the Congress entrusted the Commission with a 
major new responsibility to oversee mandatory, enforceable 
reliability standards for the Nation's bulk power system 
(excluding Alaska and Hawaii). This authority is in section 215 
of the Federal Power Act. section 215 requires the Commission 
to select an ERO that is responsible for proposing, for 
Commission review and approval, reliability standards or 
modifications to existing reliability standards to help protect 
and improve the reliability of the Nation's bulk power system. 
The reliability standards apply to the users, owners and 
operators of the bulk power system and become mandatory only 
after Commission approval. The ERO also is authorized to 
impose, after notice and opportunity for a hearing, penalties 
for violations of the reliability standards, subject to 
Commission review and approval. The ERO may delegate certain 
responsibilities to ``Regional Entities,'' subject to 
Commission approval.
    The Commission may approve proposed reliability standards 
or modifications to previously approved standards if it finds 
them ``just, reasonable, not unduly discriminatory or 
preferential, and in the public interest.'' If the Commission 
disapproves a proposed standard or modification, section 215 
requires the Commission to remand it to the ERO for further 
consideration. The Commission, upon its own motion or upon 
complaint, may direct the ERO to submit a proposed standard or 
modification on a specific matter. The Commission also may 
initiate enforcement on its own motion.
    The Commission has implemented section 215 diligently. 
Within 180 days of enactment, the Commission adopted rules 
governing the reliability program. In mid-2006, it approved 
NERC as the ERO. In March 2007, the Commission approved the 
first set of national mandatory and enforceable reliability 
standards. In April 2007, it approved eight regional delegation 
agreements to provide for development of new or modified 
standards and enforcement of approved standards by Regional 
Entities.
    In exercising its new authority, the Commission has 
interacted extensively with NERC and the industry. The 
Commission also has coordinated with other federal agencies, 
such as the Department of Homeland Security, the Department of 
Energy, the Nuclear Regulatory Commission, and the Department 
of Defense. Also, the Commission has established regular 
communications with regulators from Canada and Mexico regarding 
reliability, since the North American bulk power system is an 
interconnected continental system subject to the laws of three 
nations.

          Cyber Security Standards Approved Under section 215

    Section 215 defines ``reliability standard[s]'' as 
including requirements for the ``reliable operation'' of the 
bulk power system including ``cybersecurity protection.'' 
section 215 defines reliable operation to mean operating the 
elements of the bulk power system within certain limits so 
instability, uncontrolled separation, or cascading failures 
will not occur ``as a result of a sudden disturbance, including 
a cybersecurity incident.'' section 215 also defines a 
``cybersecurity incident'' as a ``malicious act or suspicious 
event that disrupts, or was an attempt to disrupt, the 
operation of those programmable electronic devices and 
communication networks including hardware, software and data 
that are essential to the reliable operation of the bulk power 
system.''
    In August 2006, NERC submitted eight new cyber security 
standards, known as the Critical Infrastructure Protection 
(CIP) standards, to the Commission for approval under section 
215. Critical infrastructure, as defined by NERC for purposes 
of the CIP standards, includes facilities, systems, and 
equipment which, if destroyed, degraded, or otherwise rendered 
unavailable, would affect the reliability or operability of the 
``Bulk Electric System.'' NERC proposed an implementation plan 
under which certain requirements would be ``auditably 
compliant'' beginning by mid-2009, and full compliance with the 
CIP standards would not be mandatory until 2010.
    On January 18, 2008, the Commission issued a Final Rule 
approving the CIP Reliability Standards and concurrently 
directed NERC to develop modifications addressing specific 
concerns, such as the breadth of discretion left to utilities 
by the standards. For example, the standards state that 
utilities ``should interpret and apply the reliability 
standard[s] using reasonable business judgment.'' Similarly, 
the standards at times require certain steps ``where 
technically feasible,'' but this is defined as not requiring 
the utility ``to replace any equipment in order to achieve 
compliance.'' Also, the standards would allow a utility at 
times not to take certain action if the utility documents its 
``acceptance of risk.'' To address this, the Final Rule 
directed NERC, among other things: (1) to develop modifications 
to remove the ``reasonable business judgment'' language and the 
``acceptance of risk'' exceptions; and, (2) to develop specific 
conditions that a responsible entity must satisfy to invoke the 
``technical feasibility'' exception. A further example of this 
discretion involved the utility's ability to determine which of 
its facilities would be subject to the cyber security 
standards. For these requirements, the Commission addressed its 
concerns by requiring independent oversight of a utility's 
decisions by industry entities with a ``wide-area view,'' such 
as reliability coordinators or the Regional Entities, subject 
to the review of the Commission. However, until such time as 
the standards are modified by the ERO through its stakeholder 
process, approved by the Commission, and implemented by 
industry, the discretion remains.

Current Process To Address Cyber or Other National Security Threats to 
                         the Bulk Power System

    As an initial matter, it is important to recognize how 
mandatory reliability standards are established under section 
215. Under section 215, reliability standards are developed by 
the ERO through an open, inclusive, and public process. The 
Commission can direct NERC to develop a reliability standard to 
address a particular reliability matter, including cyber 
security threats. However, the NERC process typically takes 
years to develop standards for the Commission's review. In 
fact, the cyber security standards approved by FERC took the 
industry approximately three years to develop.
    NERC's procedures for developing standards allow extensive 
opportunity for industry comment, are open, and are generally 
based on the procedures of the American National Standards 
Institute (ANSI). The NERC process is intended to develop 
consensus on both the need for the standard and on the 
substance of the proposed standard. Although inclusive, the 
process is relatively slow and cumbersome.
    Key steps in the NERC process include: nomination of a 
proposed standard using a Standard Authorization Request (SAR); 
public posting of the SAR for comment; review of the comments 
by industry volunteers; drafting or redrafting of the standard 
by a team of industry volunteers; public posting of the draft 
standard; field testing of the draft standard, if appropriate; 
formal balloting of the draft standard, with approval requiring 
a quorum of votes by 75 percent of the ballot pool and 
affirmative votes by two-thirds of the weighted industry sector 
votes; re-balloting, if negative votes are supported by 
specific comments; voting by NERC's board of trustees; and an 
appeals mechanism to resolve any complaints about the standards 
process. NERC-approved standards are then submitted to the 
Commission for its review.
    Generally, the procedures used by NERC are appropriate for 
developing and approving reliability standards. The process 
allows extensive opportunities for industry and public comment. 
The public nature of the reliability standards development 
process is a strength of the process as it relates to most 
reliability standards. However, it can be an impediment when 
measures or actions need to be taken on a timely basis to 
effectively address threats to national security.
    The procedures used under section 215 for the development 
and approval of reliability standards do not provide an 
effective and timely means of addressing urgent cyber or other 
national security risks to the bulk power system, particularly 
in emergency situations. Certain circumstances, such as those 
involving national security, may require immediate action. If a 
significant vulnerability in the bulk power system is 
identified, procedures used so far for adoption of reliability 
standards take too long to implement effective corrective 
steps.
    FERC rules governing review and establishment of 
reliability standards allow the agency to direct the ERO to 
develop and propose reliability standards under an expedited 
schedule. For example, FERC could order the ERO to submit a 
reliability standard to address a reliability vulnerability 
within 60 days. Also, NERC's rules of procedure include a 
provision for approval of urgent action standards that can be 
completed within 60 days and which may be further expedited by 
a written finding by the NERC board of trustees that an 
extraordinary and immediate threat exists to bulk power system 
reliability or national security. However, it is not clear NERC 
could meet this schedule in practice.
    Even a reliability standard developed under the urgent 
action provisions would likely be too slow in certain 
circumstances. Faced with a cyber security or other national 
security threat to reliability, there may be a need to act 
decisively in hours or days, rather than weeks, months or 
years. That would not be feasible under the urgent action 
process. In the meantime, the bulk power system would be left 
vulnerable to a known national security threat. Moreover, 
existing procedures, including the urgent action procedure, 
would widely publicize both the vulnerability and the proposed 
solutions, thus increasing the risk of hostile actions before 
the appropriate solutions are implemented.
    In addition, the proposed standard submitted to the 
Commission may not be sufficient to address the vulnerability. 
As noted above, when a proposed reliability standard is 
submitted to FERC for its review, whether submitted under the 
urgent action provisions or the usual process, the agency 
cannot modify such standard and must either approve or remand 
it. Since the Commission may not modify a proposed reliability 
standard under section 215, we would have the choice of 
approving an inadequate standard and directing changes, which 
reinitiates a process that can take years, or rejecting the 
standard altogether. Under either approach, the bulk power 
system would remain vulnerable for a prolonged period.

           NERC's ``Aurora'' Advisory and Subsequent Actions

    Currently, the alternative to a mandatory reliability 
standard is for NERC to issue an advisory encouraging utilities 
and others to take voluntary action to guard against cyber or 
other vulnerabilities. That approach provides for quicker 
action, but any such advisory is not mandatory, and should be 
expected to produce inconsistent and potentially ineffective 
responses. That was our experience with the response to an 
advisory issued last year by NERC regarding an identified cyber 
security threat referred to as the ``Aurora'' threat. Reliance 
on voluntary measures to assure national security is 
fundamentally inconsistent with the conclusion Congress reached 
during enactment of EPAct 2005, that voluntary standards cannot 
assure reliability of the bulk power system.
    In response to the Aurora threat, NERC issued an advisory 
to certain generator owners, generator operators, transmission 
owners, and transmission operators. According to NERC, this 
advisory identified a number of short-term measures, mid-term 
measures and long-term measures designed to mitigate the cyber 
vulnerability. NERC asked the recipients to voluntarily 
implement the measures within specific time periods. NERC also 
sent a data request to industry members to determine compliance 
with the advisory. That data request was limited in scope, 
however, asking only that industry members indicate if their 
mitigation plans are ``complete,'' ``in progress,'' or ``not 
performing.''
    The Commission determined that the information sought by 
NERC in the above data request was not sufficient for the 
Commission to discharge its duties under section 215 because it 
did not provide sufficient details about individual mitigation 
efforts for the Commission to be certain that the threat had 
been addressed. For example, it did not provide information 
such as what facilities were the subject of the mitigation 
plans, what steps to mitigate the cyber vulnerability were 
being taken, and when those steps were planned to be taken--
and, if certain actions were not being taken, why not.
    In October 2007, the Commission sought emergency processing 
by the Office of Management and Budget (OMB) of a proposed 
directive to require utilities to provide information 
immediately on their mitigation efforts. OMB posted the 
proposal for public comment in December 2007, and received 
several comments raising issues about the Commission's ability 
to protect sensitive information from public disclosure. The 
Commission ultimately asked OMB to hold the proposal in 
abeyance while Commission staff asked a sampling of generation 
and transmission entities to voluntarily discuss with staff 
their compliance with the Aurora advisory. In February, 
Commission staff began interviewing them. Commission staff has 
conducted 30 detailed interviews with a variety of electric 
utilities geographically dispersed across the contiguous 48 
states, to assess the state of the industry's protection 
against remote access cyber vulnerabilities, including the 
Aurora vulnerability. Each interview typically lasted six to 
eight hours and utilities voluntarily participated. The 
utilities were well prepared with documents to explain their 
actions, and were very cooperative in responding to staff 
questions. Staff found a wide range of equipment, 
configurations and security features implemented by the 
utilities. Several observations can be made based on the 
interviews.
    All of the companies selected by the Commission fully 
cooperated in the interviews. We learned that there was a broad 
range of compliance based on individual interpretations of the 
threat that affected the application of the recommended 
mitigation measures. In fact, all of the utilities interviewed 
by the Commission requested additional information to help 
understand the technical implications of the attack and the 
specific strategies to mitigate the identified vulnerabilities. 
Through these selected interviews, FERC staff has determined 
that although progress has been made by almost every entity it 
interviewed, much work remains to be done and, in large part, 
the Aurora threat remains.
    While NERC can issue an alert, as it did in response to the 
Aurora vulnerability, compliance with these alerts is voluntary 
and subject to the interpretation of the individual utilities. 
Because an alert is voluntary, it may tend to be general in 
nature, and lack specificity. Further, as Commission staff has 
found with the Aurora alert, such alerts can cause uncertainty 
about the specific strategies needed to mitigate the identified 
vulnerabilities and the assets to which they apply.
    Damage from cyber attacks could be enormous. All of the 
electric system is potentially subject to cyber attack, 
including power plants, substations, transmission lines, and 
local distribution lines. A coordinated attack could affect the 
electrical grid to a greater extent than the August 2003 
blackout and cause much more extensive damage. Cyber attacks 
can physically damage the generating facilities and other 
equipment such that restoration of power takes weeks or longer, 
instead of a few hours or days. The harm could extend not only 
to the economy and the health and welfare of our citizens, but 
even to the ability of our military forces to defend us, since 
many military installations rely on the bulk power system for 
their electricity. The cost of protecting against cyber attacks 
is difficult to estimate but, undoubtedly, is much less than 
the damages and disruptions that could be incurred if we do not 
protect against them.
    The need for vigilance may increase as new technologies are 
added to the bulk power system. For example, ``smart grid'' 
technology may provide significant benefits in the use of 
electricity. These include the ability to manage not only 
energy sources, but also energy consumption, in the reliable 
operation of the Nation's electric grid. However, smart grid 
technology will also introduce many potential access points to 
the computer systems used by the electric industry to operate 
the electric grid. Security features must be an integral 
consideration. To some degree, this is similar to the banking 
industry allowing its customers to bank on line, but only with 
appropriate security protections in place. As the ``smart 
grid'' effort moves forward, steps will need to be taken to 
ensure that cyber security protections are in place prior to 
its implementation. The challenge will be to focus not only on 
general approaches but, importantly, on the details of specific 
technologies and the risks they may present.

                   Key Elements of Needed Legislation

    In my view, section 215 is an adequate statutory foundation 
to protect the bulk power system against most reliability 
threats. However, the threat of cyber attacks or other 
intentional malicious acts against the electric grid is 
different. These are national security threats that may be 
posed by foreign nations or others intent on attacking the U.S. 
through its electric grid. The nature of the threat stands in 
stark contrast to other major reliability vulnerabilities that 
have caused regional blackouts and reliability failures in the 
past, such as vegetation management and relay maintenance. 
Though the nature of the threat is different, the consequences 
are identical. Widespread disruption of electric service can 
quickly undermine the U.S. government and economy and endanger 
the health and safety of millions of citizens. Given the 
national security dimension to this threat, there may be a need 
to act quickly to protect the grid, to act in a manner where 
action is mandatory rather than voluntary, and to protect 
certain information from public disclosure. Our legal authority 
is inadequate for such action. This is true of both cyber and 
non-cyber threats that pose national security concerns. In the 
case of such threats to the electric system, the Commission 
does not have sufficient authority to timely protect the 
reliability of the system.
    I ask Congress to enact legislation, outside of section 
215, containing the following major elements. The bill should 
direct the Commission to establish, after notice and 
opportunity for comment, interim reliability measures to 
protect against the threats identified in NERC's ``Aurora'' 
advisory and related remote access issues. These interim 
measures could later be replaced by reliability standards 
developed, approved and implemented under the section 215 
process. The bill also should allow the Commission, upon 
directive by the President (directly or through the Secretary 
of Energy), to issue emergency orders directing actions 
necessary to protect the reliability of the bulk power system 
against an imminent cyber security or other national security 
threat. Significantly, FERC could only act upon such a 
directive. This reflects the reality that the President and 
national security and intelligence agencies such as DOE are in 
a better position than the Commission to determine the nature 
of a national security threat, while the Commission has the 
expertise to develop appropriate interim reliability measures.
    I emphasize that the latter authority should apply not only 
to cyber security threats but also to other national security 
threats. Intentional physical malicious acts (targeting, for 
example, critical substations and generating stations) can 
cause equal or greater destruction than cyber attacks and the 
Commission should have no less ability to address them when an 
emergency arises. This additional authority would not displace 
other means of protecting the grid, such as action by federal, 
state and local law enforcement and the National Guard, but the 
Commission has unique expertise regarding the reliability of 
the grid, the consequences of threats to it and the measures 
necessary to safeguard it. If particular circumstances cause 
both FERC and other governmental authorities to require action 
by utilities, FERC will coordinate with other authorities as 
appropriate.
    The bill should allow measures or actions that might be 
imposed under this new authority to be replaced by standards 
developed under section 215 where applicable. For example, 
there may be circumstances in which use of the section 215 
process would not be applicable, such as when targeted and/or 
temporary measures are necessary based on specific threat 
information. Also, the Commission should be allowed to maintain 
appropriate confidentiality of any security-sensitive 
information submitted or developed through the exercise of this 
authority.
    The bill also should address the following details. First, 
the bill should allow the Commission to take emergency action 
before a cyber or other national security incident has 
occurred, if there is a likelihood of a malicious act or a 
substantial possibility of disruption due to such an act. In 
order to protect the grid, it is vital that the Commission be 
authorized to act before a cyber attack. It is equally 
necessary that the threshold for a threat determination not be 
so high as to be insurmountable. Second, with respect to the 
Aurora and related cyber threats of which we are aware today, 
the Commission should be permitted and directed, after notice 
and comment, to require owners, users and operators of the bulk 
power system to take adequate measures to address those 
threats, and those measures should remain in effect until the 
measures are no longer necessary, for example, if replacement 
standards are approved and implemented under section 215. 
Third, with respect to other actions or measures the Commission 
might order to address future imminent threats to reliability, 
any time-triggered sunset provision applicable to emergency 
actions ordered by the Commission should allow an exception if 
the President (directly or through the Secretary of Energy) 
reaffirms the continuing nature of the threat. In the event 
that the action is determined to be no longer necessary or if 
the measures or actions ordered by the Commission are replaced 
by standards approved and implemented under section 215, the 
Commission should issue a ``discontinuance'' order.
    Finally, Congress should be aware of the fact that if 
additional reliability authority is limited to the ``bulk power 
system,'' as defined in the FPA, it would exclude protection 
against reliability threats and emergency actions involving 
Alaska and Hawaii and possibly the territories, including any 
federal installations located therein. The current 
interpretation of ``bulk power system'' also would exclude some 
transmission and all local distribution facilities, including 
virtually all of the grid facilities in large cities such as 
New York and Washington, D.C., thus precluding possible 
Commission action to mitigate imminent cyber or other national 
security threats to reliability that involve such facilities 
and major population areas.

                               Conclusion

    The Commission's authority is not adequate to address 
urgent cyber or other national security threats. These types of 
threats pose an increasing risk to our Nation's electric grid, 
which undergirds our government and economy and helps ensure 
the health and welfare of our citizens. Congress should address 
this risk now.
    Thank you again for the opportunity to testify today. I 
would be happy to answer any questions you may have.
                              ----------                              

    Mr. Boucher. Thank you very much, Mr. Kelliher. Mr. 
Kolevar, we will be happy to hear from you.

 STATEMENT OF KEVIN M. KOLEVAR, ASSISTANT SECRETARY, OFFICE OF 
ELECTRICITY DELIVERY AND ENERGY RELIABILITY, U.S. DEPARTMENT OF 
                             ENERGY

    Mr. Kolevar. Thank you, Mr. Chairman, members of the 
committee, for the opportunity to testify before you today on 
this critically important matter. Let me just note at the 
beginning that, as you would expect, the chairman and I and our 
staff have discussed this issue on a number of occasions. I 
would like to associate myself with his remarks. I think that 
as we move forward, you will find broad agreement between the 
Department of Energy and the FERC.
    This hearing addresses more than just a reliability 
concern. It addresses a national security concern. The 
Department of Energy and FERC and the electric sector must work 
cooperatively toward eliminating cyber vulnerabilities in 
control systems and preventing malicious cyber attacks on our 
electric infrastructure. Our Nation's electric power grid must 
be better protected. We must harden our power system.
    The Department of Energy regularly discovers new 
vulnerabilities in the control systems employed by many 
utilities. This is not hyperbole. Let me assure you that cyber 
attacks against control systems have occurred, and they are 
becoming increasingly sophisticated.
    The director of National Intelligence only underscored 
these concerns when he acknowledged earlier this year that 
cyber exploitation has not only grown more sophisticated but 
more targeted and more serious. Embedded processes and 
controllers in critical sectors are being targeted for 
exploitation and potentially for disruption or destruction with 
increasing frequency by a growing number of adversaries, not 
all of whom are in the pay of foreign governments.
    According to one senior CIA analyst, some cyber intrusions 
in utilities have been followed by extortion demands. Cyber 
attacks have been used to disrupt power equipment in regions 
outside the United States, and in at least one case, a cyber-
based disruption caused an outage that affected multiple 
cities.
    Let me for a moment drill down on one point, and this 
actually speaks to Congressman Rogers's point. The following 
text is drawn from the intelligence community assisting us in 
preparation of this draft. For a nation-state to execute a 
coordinated attack across the Nation with certainty at a point 
in time chosen have geopolitical or military effect would 
require considerable planning and would require sustained 
access during an extensive preparation period to numerous 
points in the control systems that help operate the national 
grid.
    Planning this type of attack would require extensive 
collection of information, expertise on both cyber and power 
systems, probably some type of extensive modeling to be sure of 
the effect, and then gaining and maintaining access to the 
actual target systems. Even maintaining reliable clandestine 
access requires resources and constant attention because system 
software and configurations change over time, and the adversary 
must be careful not to tip his hand with obvious activity.
    Gaining initial access to particular systems may require 
the recruitment of insiders or conducting supply chain attacks, 
which might require months or years of preparation. Even 
gathering the necessary detailed information needed to identify 
targets and possible points of access may require some form of 
long-term clandestine operations.
    As a matter of risk management, we need to make sure that 
we are not facilitating each of these critical steps for our 
adversaries by leaving ourselves open to collection of target 
information, open to easy access and reconnaissance or 
vulnerable by virtue of leaving systems misconfigured or 
unpatched.
    The Departments of Energy and Homeland Security have been 
working with industry to increase awareness and to help them 
make sensible risk management choices. And, Mr. Chairman, I 
think this also speaks to the confidentiality requirements that 
the chairman mentioned.
    To be clear, however, notwithstanding the many difficulties 
associated with the execution of a very serious cyber attack on 
the electric sector, the potential consequences are 
significant. For that reason, a limited role for the federal 
government is warranted if the Nation's energy infrastructure 
is to be protected.
    The Department has been substantively engaged on this issue 
for some time. In 2003, DOE's Office of Energy Assurance, the 
predecessor program to the Office of Electricity Delivery and 
Energy Reliability, was designated to work directly with the 
energy owners and operators to protect energy infrastructures 
from all hazards and make them become more resilient.
    DOE does this by selectively conducting vulnerability 
assessments and applying sound risk management practices at 
critical facilities, and we implement physical and cyber 
solutions to mitigate the risks based on the vulnerabilities we 
identify. To date, the department and its national laboratories 
have conducted test bed and onsite field assessments of 15 
common control systems used widely across the energy sector.
    These assessments have revealed vulnerabilities ranging in 
severity from minimal to high impact. With 17 testing 
facilities from five Department of Energy national 
laboratories, we are also constantly leveraging an extensive 
intelligence gathering network, proving methodologies, and 
highly skilled professionals from across the national security 
and intelligence communities, in particular DHS, to assess an 
interpret threat information.
    Nevertheless, we need to do more and be thoughtful. The 
cyber threat to electric power systems is certainly among the 
most critical in our Nation's infrastructure. However, 
cyberspace has become critical to all of our other 
infrastructures as well with potential national security, 
economic, and safety concerns. As a Nation, we need to make 
sure that we are addressing risk management across all of our 
infrastructures in a holistic manner and that we not solve one 
problem only to create new problems or restrain solutions 
elsewhere.
    As a result, we believe any legislation should be carefully 
coordinated across the executive branch. We need to move 
expeditiously to protect the power grid, but let us get this 
right. The administration is continuing to examine what 
additional authorities are appropriate for DOE and the FERC.
    To the extent that Congress acts in this area, we recommend 
that it consider the following: allow the FERC to establish 
interim reliability standards for the purpose of rapidly 
responding to specific electric sector vulnerabilities. When 
presented with a credible cyber threat against the bulk power 
system, such interim reliability standards could provide an 
effective bridge until being replaced by cybersecurity 
reliability standards developed, approved, and implemented 
pursuant to section 215.
    With respect to potential measures in the face of an 
imminent threat to the bulk power system, allow the Department 
of Energy to issue an order for immediate remedial action. That 
order could stand until new FERC interim standards or standards 
developed pursuant to section 215 were put into place.
    Mr. Chairman, that concludes my statement. I am prepared to 
take any questions.
    [The prepared statement of Mr. Kolevar follows:]





    
    Mr. Boucher. Thank you very much, Mr. Kolevar. Mr. 
Kelliher, I am going to direct my questions to you, and I would 
appreciate your turning, if you have the information there, to 
the audit, which the NERC conducted of the 1,200 entities 
connected to the bulk power system that received the FERC 
advisory recommending certain steps that should be taken to 
enhance protection against cybersecurity threats and outlining 
a schedule of either 90 days in the case of some steps or 180 
days in the case of other steps, by which those protections 
should be put in place.
    You audited a number of those 1,200 entities. As I recall, 
that number was 30. Is that correct?
    Mr. Kelliher. Yes sir.
    Mr. Boucher. With regard to those 30 audited companies, how 
many did you find that were at the time of your audit in full 
compliance with the advisory that had been issued by the NERC?
    Mr. Kelliher. Seven of the 30, sir.
    Mr. Boucher. So seven of the 30 were in full compliance? Of 
the remaining 23, had some of those taken some steps toward 
compliance but were not in full compliance? Or were there any 
among those 23 that had taken no steps at all?
    Mr. Kelliher. I believe all of the 23 took some steps. It 
varied on how many they took.
    Mr. Boucher. How many would you classify, based on your 
audit, as still being vulnerable to the Aurora vulnerability 
determined by the Idaho laboratory?
    Mr. Kelliher. Well, that is a more difficult question 
because full compliance with the advisory itself, in our view, 
wouldn't necessarily mitigate the Aurora threat. So you are 
really asking, which companies went beyond the advisory to take 
steps broader than what NERC had recommended. And that we would 
say two of the 30 had mitigated the Aurora threat.
    Mr. Boucher. Leaving 28 still vulnerable in FERC's view?
    Mr. Kelliher. Yes, sir.
    Mr. Boucher. OK, talk a little bit about what you found in 
terms of the compliance schedules that had been adopted by the 
various utilities. Did some of them have truly extraordinary 
schedules extending over many years as compared to the NERC 
advisory, which was that these steps be put in place within 180 
days?
    Mr. Kelliher. Yes sir, and I think there was some confusion 
in some of the companies between the timelines in the NERC 
advisory and the scope of facilities affected covered by the 
NERC advisory with the rules that the Commission issued, the 
cyber standards that the Commission approved in January, which 
envisioned a longer time frame than the NERC advisory. Some 
companies incorrectly assumed that the longer timelines in the 
FERC rule govern their compliance with the NERC advisory.
    Mr. Boucher. So they really didn't understand the NERC 
advisory?
    Mr. Kelliher. Some of them certainly did not understand the 
timelines of when their actions were supposed to take place.
    Mr. Boucher. All right, did you find that there were 
utilities that had done little or nothing in compliance with 
the NERC advisory other than simply preparing for the FERC 
interview that was a part of your audit?
    Mr. Kelliher. They readily participated in our review, so I 
think the industry gets credit for openly participating. They 
did ask for some confidentiality, and because they are 
providing this information voluntarily, we agreed to that. In 
some cases, I don't think there was a sufficient understanding 
of what facilities really should be covered by the NERC 
advisory. I think companies thought they could freely determine 
if facilities were not part of the bulk power system and were 
therefore not covered by the advisory, and then shrink the 
scope of facilities where they might have to act to protect 
cybersecurity.
    In other cases, there was a lack of appreciation for the 
communication among their facilities. Many and really most 
electric facilities are capable of remote operation, and some 
utilities didn't seem to appreciate how interconnected some of 
their facilities were.
    Mr. Boucher. And so I gather from that answer that there 
were utilities that incorrectly assumed that their equipment 
was not vulnerable to the Aurora vulnerability, when, in fact, 
you could readily see that that equipment was subject to that 
vulnerability?
    Mr. Kelliher. Yes, sir.
    Mr. Boucher. Did you find any entities that excluded 
critical assets from the implementation to the extent they were 
implementing the NERC advisory that should have, in fact, been 
covered and been a part of that implementation?
    Mr. Kelliher. Yes, sir, we think some facilities should 
have been included that were not.
    Mr. Boucher. Let me ask for your reasoning, briefly stated, 
on some of the key issues that we have detected as remaining 
outstanding where there is some difference of opinion among 
interested parties with regard to the discussion draft that we 
have put forward. Specifically the definition of what 
constitutes a cybersecurity threat, whether or not the 
authority that is extended to the FERC should go beyond 
protecting against cybersecurity attacks to protecting against 
physical attacks to those facilities, whether or not--I am 
sorry--the conditions under which there should be a sunset on 
the emergency powers that would be granted upon a Presidential 
or Secretary of Energy designated emergency?
    And then finally, the scope of the authority granted to you 
in terms of its basic coverage. Should it extend beyond the 
continental bulk power system to the States of Alaska and 
Hawaii? Should it extend to major distribution systems in our 
largest cities such as New York and Washington, D.C.? And I 
realize that is a question that could occupy a half hour in 
response. What I am asking for is maybe a 3-minute response if 
you could.
    Mr. Kelliher. OK, I will do my best. In terms of threshold, 
I think the threshold in the bill is appropriate. If the 
threshold is set so high that it is virtually impossible for 
the President or the Secretary to make a threat determination, 
then it is probably better not to legislate in the first place 
because you will end up with a statute that becomes somewhat of 
a dead letter.
    With respect to scope of facilities, we think the scope is 
appropriate, but it is important for the subcommittee to 
understand that it is not true that the only cyber threat to 
the U.S. electricity system is directed at the bulk power 
system. It can be directed towards other transmission 
facilities that are not part of the bulk power system. It can 
be directed towards local distribution facilities.
    In part, we support the current scope because from FERC's 
point of view, that is what you entrusted to us 3\1/2\ years 
ago. You said FERC, you are responsible to assure reliability 
of the bulk power system, not the entire electricity system of 
the United States. We are sticking with what you entrusted to 
us 3 years ago. We think that scope is appropriate, but we 
don't want the subcommittee to think that is the only part of 
the U.S. electricity system that is at risk.
    You had four questions. That was only two of them. The----
    Mr. Boucher. Well, also the conditions under which there 
could be a sunset on the emergency power.
    Mr. Kelliher. The sunset? I frankly don't think a sunset is 
appropriate because we are talking about emergency powers and 
national security law. And FERC isn't usually associated with 
emergency powers, and I think a sunset is inconsistent with the 
exercise of emergency power.
    Mr. Boucher. Well, if the emergency subsides, then 
obviously the powers associated with addressing that emergency 
would no longer be necessary.
    Mr. Kelliher. Yes, sir, but I think part of it is how 
likely do you think the President or the Secretary of Energy 
would be to declare a threat? If the threat subsided, I think 
the President and the Secretary would be ready to acknowledge 
that the threat had subsided. And then the FERC action would 
terminate.
    Mr. Boucher. Well, it sounds like your answer to that 
question is upon a Presidential or Secretary of Energy 
determination that the threat has ended--because some of the 
other proposals would have automatic termination----
    Mr. Kelliher. Yes, sir.
    Mr. Boucher [continuing]. Upon a period of 1 year----
    Mr. Kelliher. Yes, sir.
    Mr. Boucher [continuing]. As an example unless the 
emergency was reviewed by affirmative action of the executive. 
And so your thought on that would be what?
    Mr. Kelliher. I think a sunset is workable, but I think it 
is inconsistent generally with national security law and the 
exercise of emergency powers. And you have one more question I 
haven't gotten to, sir, but I----
    Mr. Boucher. The definition of what constitutes an 
emergency----
    Mr. Kelliher. OK.
    Mr. Boucher [continuing]. And the notion of substantially 
as a part of the statutory definition.
    Mr. Kelliher. We support the ``or'' configuration not the 
``and'' configuration because we think the ``and'' 
configuration just sets the bar too high.
    Mr. Boucher. That is too limiting in your view?
    Mr. Kelliher. Yes, sir.
    Mr. Boucher. All right, thank you. One other question I 
have.
    Mr. Kelliher. Yes, sir.
    Mr. Boucher. Did you estimate while you were undertaking 
your audit of entities attached to the bulk power system what 
the cost of complying with the FERC advisory would be for the 
typical attached entity? That is a key consideration. If it is 
a minor cost, then there would be little reason for 
noncompliance to have occurred certainly to the extent that it 
did.
    If it is a major cost, then obviously a different set of 
considerations begin to apply, and that would necessarily 
affect timeframes that you would want to have in your order or 
that we might want to have in the statute for obtaining 
compliance. So the question of cost is relevant. As a part of 
your audit, did you address that question? And if so, do you 
have an estimate of what the cost of compliance per covered 
facility would be?
    Mr. Kelliher. We do not have a good estimate of what the 
cost of compliance would be. One aspect of FERC being the actor 
in this area is that FERC is a regulatory agency, and we can 
provide for cost recovery. And I think that is an important 
consideration to industry. And we don't regulate all parts of 
the electricity industry--I wanted to make sure Sue Kelly heard 
me say that.
    Mr. Boucher. It is an important concern to industry, but a 
larger concern that we take into consideration is the ultimate 
cost to the energy----
    Mr. Kelliher. Yes, sir.
    Mr. Boucher [continuing]. User as well.
    Mr. Kelliher. Yes, sir.
    Mr. Boucher. And cost recovery simply shifts it downward--
--
    Mr. Kelliher. I agree.
    Mr. Boucher [continuing]. To the ultimate user, and that is 
something we would need to consider. So----
    Mr. Kelliher. Yes, sir.
    Mr. Boucher [continuing]. One thing that I would be very 
interested in learning, and perhaps other witnesses in their 
opening statements could address this, is what that estimated 
cost would be. My time has been grossly exceeded here. Mr. 
Kelliher, you have been very helpful. I thank you and recognize 
the gentleman from Michigan for his questions.
    Mr. Upton. Thank you again for your testimony this morning. 
I do have a couple of questions. And for me again, I am very 
anxious for our classified briefing with perhaps a few more 
parties that can help us with this issue so that we can 
appropriately so come up with the absolute best vehicle.
    And of course, as I think back, it was the blackout through 
much of the Midwest that really prompted the '05 bill. That was 
the engine that drove the train, bringing about those 
reliability standards which passed on a pretty broad bipartisan 
basis. Both Mr. Dingell and Mr. Barton had key roles. They 
supported the bill. The same thing was in the Senate. I was a 
part of that conference, and we are glad to see it happen.
    And I guess if I had to use an analogy, I raised about the 
FAA towers, the FAA control back on 9/11 today ordering all the 
planes to come down. In essence, you all can send out 
advisories, but you can't enforce what you have to say. So it 
would be very much along what American Airlines was told a few 
months ago when they literally had to shut down their airline 
as they had to rebundle all of those wiring packages in their 
planes because the advisory came out. And those planes couldn't 
fly until it was done. And in essence, I would think that we 
need to make sure that you have the power to, as you issue 
those advisories, to make sure that they are completed in a 
timely manner.
    And in response to Mr. Boucher's question about cost, I 
suppose as part of that advisory, you could ask the utilities 
what they anticipate those costs to be. Is that not something 
that you do now then in terms of the advisories that go out or 
not?
    Mr. Kelliher. Certainly with respect to any action we take 
to mitigate the Aurora threat, that would be through a notice 
and comment rulemaking, and the industry would certainly raise 
cost in the context of that rulemaking.
    Mr. Upton. What type of trigger would you mean? As we think 
about Jim Langevin, our colleague who spoke earlier in terms of 
the chain of command. And one of the issues that he raised was 
that it may happen so fast, cyber seconds, you may not have 
time to go to the whatever chain of command that you have, 
whether it be the NSA, the President, the Secretary of Energy. 
What type of pre-trigger would you suggest be employed for you 
to I would suppose, what shut down a utility or shut down part 
of the grid to make sure that it doesn't expand? Is that the 
type of threat that you would envision would happen?
    Mr. Kelliher. Let me try to come up with a hypothetical 
that could try to put it in place, and hypotheticals are 
sometimes useful, sometimes not helpful. But I will take the 
risk. Let us assume that the Department of Energy or the 
President or somewhere in the National Security Agency, they 
identified some threat to substations in a city. There was some 
effort to destroy substations, and the President or the 
Secretary made a finding consistent with the statute, that 
there is a credible--I don't actually remember the exact 
words--but the President or the Secretary made a finding 
consistent with the statute.
    FERC would not be in a position to make that finding 
because we are not an intelligence agency. But upon that 
finding, we could theoretically identify where there are spare 
transformers in a country. We could theoretically order them to 
be relocated to that metropolitan area in anticipation of a 
possible attack. And we could also allow for cost recovery for 
the owners of those transformers, if they are regulated 
entities. And we could try to come up with a creative approach 
to address cost recovery if they are not.
    That is the kind of thing that conceivably we could do 
under this scenario. In an urban area, we could order 
generators to have higher spinning--to operate their system 
differently to basically have more generation on call in the 
event some facilities were damaged or destroyed.
    So there are operational changes that we could order. We 
could order the relocation of spare transformers, and there 
would be other hypotheticals as well.
    Mr. Upton. That would take time though. I mean that would 
actually be something--by the time you located a generator and 
move it to the right spot, it could----
    Mr. Kelliher. Not the second one. Ordering generators to 
have higher spinning reserve levels, that is something that 
could be done immediately.
    Mr. Upton. You know, as I think about what happened back in 
'05--and remember I am from Michigan----
    Mr. Kelliher. Yes, sir.
    Mr. Upton [continuing]. So go like this. And I live over 
here, and we have two nuclear plants, and I can remember one of 
our plants, the Palisades plants, they were within less than a 
minute of shutting that facility down because of the drain on 
the network from Columbus and Ohio and other places. It was 
just sucking the power through the grid, and had that shut that 
plant down, it would have gone right around the horn over to 
Chicago. And it would have been even far worse. So they had to 
make the decision as to whether they were going to keep it 
online. And thank goodness they didn't have to hit the shutoff 
button, which who knows how long. It would have been much 
longer, much more in damages in terms of what would have 
happened.
    But that was their own independent decision as to whether 
they were going to--and I think it was Consumers Energy then 
owned it. It could have been Entergy, but it was that nuclear 
plant that, because it stayed on, actually prevented it from 
going and hitting even more of the Midwest than what happened.
    But as I recall that was their own independent decision. It 
wasn't FERC that told them to shut it down or somebody else. 
And I don't know if the '05 act would change that, who would 
enforce it. If it was a cyber act, you would think that again 
it would be pretty--whoever the president would be would take 
almost immediate action to try and prevent damages or loss from 
expanding beyond perhaps individual facilities which would 
trigger even broader blackout for who knows how long.
    Mr. Kelliher. That kind of scenario in terms of the 2003 
blackout, that might--I am not familiar with the particular 
circumstances of that nuclear plant. But that is something that 
could be covered by the reliability standards that the 
Commission approved a year-and-a-half ago. But if----
    Mr. Upton. But who would give that order? I mean would 
you--are you able now to enforce----
    Mr. Kelliher. I think----
    Mr. Upton [continuing]. Have some enforcement action?
    Mr. Kelliher. I can't say with certainty that there is a 
current reliability standard that would govern the decision by 
a nuclear plant whether or not to continue to operate because 
nuclear plants--there are standards that the NERC establishes, 
the governing loss of offsite power. And nuclear plants, I 
think they generally do shut down when they lose offsite power.
    So we have tried to synch up our reliability standards with 
NERC standards, and we wouldn't want to interfere with NERC 
safety standards.
    Mr. Upton. Yes, I wonder if we should have the NERC as a 
participant in our meeting next week. Probably should. So I 
have gone beyond my time as well, so I yield.
    Mr. Kolevar. Mr. Chairman, if I can respond to the 
Congressman's question as well. When we look at this, there are 
really probably three situations that we need to think about 
when we are talking about threats to the grid and then 
immediate reliability implications and long-term reliability 
implications.
    Congressman, I think the situation you described falls into 
the latter category. Those are actions that the utilities would 
take or that the operators at that nuclear facility would take 
as a result of the standards development process.
    When we are looking at the draft legislation today at the 
Department of Energy, we really seek two other scenarios. One 
is you have a credible threat probably against a specific 
facility or a portion of the grid that requires immediate 
action. The Department of Energy does exercise some similar 
emergency authorities for the purposes of interconnection in 
particular. And that can be issued in about an hour. I think 
the FERC actually has some similar authorities to 202C that are 
able to be executed very quickly.
    So that is your imminent immediate threat to which the 
Federal Government must take action and respond and give 
direction to the sector.
    The second is the situation that I think Aurora 
exemplifies, and that is a vulnerability. But the risk of 
exploitation of that vulnerability is relatively low. You don't 
have a player. You don't have a time. You don't have a specific 
threat. And in that type of situation, that does speak to an 
interim authority at the FERC over a period of 90 days, 120 
days, 6 months, whatever it is that the commission of the 
utilities decide is most appropriate to speak to that threat 
and identify the interim standards that are going to be 
employed to ensure that that threat can't be exploited.
    Mr. Upton. Thank you.
    Mr. Boucher. Thank you very much, Mr. Upton. The gentleman 
from Oregon, Mr. Walden, is recognized for 5 minutes.
    Mr. Walden. Thank you very much, Mr. Chairman. I think it 
is appropriate we are having this hearing today because I think 
for some of us this issue really came to life in a post-9/11 
environment, some of the briefings that we had at that time. 
And for those of us in the West with the long interconnection 
ties, I think of my district in Oregon where we ship the power 
from the hydro system through those big DC converter lines down 
to California at all. That there are enormous vulnerabilities 
and opportunities for mischief, if not downright destruction.
    And I guess, Mr. Kelliher, I would like to ask a couple of 
questions. One involves this--and I have had no classified 
briefings on this. So if I stumble into an area I don't belong, 
shut me down. That is fine. But it would seem to me that, if 
there is a cyber threat, is the issue that they can do a phase 
shift then and modify the power itself and cause disruption in 
the transformers. Is that part of it? Can they do voltage 
spikes? Blow up the transformers? What sorts of issues do we 
need to be aware of here?
    Mr. Kelliher. It is probably better to say they can cause 
physical damage and actually destroy facilities like 
transformers, and there are different ways they can--a cyber 
attack could cause that damage.
    Mr. Walden. And then when it comes to the destruction of 
transformers, because that could be done with a explosive 
device. I mean today somebody could go out out to one of those 
substations and do damage. Have we in the interceding 7 years 
taken stock of sort of our transformer supply? Because my 
understanding is that it could take months if not perhaps 
longer than that to replace some of these transformers if you 
had to start over from scratch and build them. Is that correct?
    Mr. Kelliher. We have taken the first steps at FERC to 
encourage the development of spare transformers.
    Mr. Walden. OK.
    Mr. Kelliher. Because, as you say, transformers, they can 
take months, perhaps a year or longer actually to manufacture. 
And there generally are not very many spare transformers in the 
United States.
    Mr. Walden. They are very expensive.
    Mr. Kelliher. They are very expensive. So we have issued an 
order that would provide for cost recovery to the extent 
regulated companies develop spare transformers so that they 
could then be pooled for use.
    Mr. Walden. And do you know are there companies taking 
advantage of that?
    Mr. Kelliher. I don't know the status of whether there has 
been an increase in the purchase of transformers. We have an 
order that allows for cost recovery. I don't know what has 
followed the issuance of our order.
    Mr. Walden. Because I can see an oversight hearing post 
some event where we question the utilities about why they 
didn't take advantage of that and have at least some sort of 
backup. I realize you are not going to have one for one. I 
fully understand that, but it would seem to me that is an area 
where we would need backup because isn't the alternative that 
the grid could be down for a long period of time?
    Mr. Kelliher. Certain facilities can be damaged or 
destroyed, and that is different than a blackout scenario where 
you can recover relatively quickly. Recovery could take longer 
in the wake of a successful cyber attack.
    Mr. Walden. Or a physical attack.
    Mr. Kelliher. Yes, sir.
    Mr. Walden. Either one. So it would seem to me that, one, 
we need to investigate more in terms of where utilities are in 
backup transformers because that just seems logical to me. Just 
as you have generators ready to go in case there is a hurricane 
somewhere or any other disaster. This notion of having backup 
transformers would certainly make sense.
    This other issue about having to have a presidential 
declaration and all. It would strike me--and perhaps, Mr. 
Kolevar, you can address this as well--that if a utility or 
grid manager got word that there is some potential cyber 
attack, wouldn't they want to react instantly to stop any 
damage to their systems?
    Mr. Kolevar. I would expect they would.
    Mr. Walden. And I heard some reference that it could take 
upwards of an hour perhaps. Why would it take that long?
    Mr. Kolevar. Your question goes to the actions that the 
utility----
    Mr. Walden. Right.
    Mr. Kolevar [continuing]. Upon information----
    Mr. Walden. Like shutting down a nuclear plant.
    Mr. Kolevar [continuing]. Would take. My experience with 
the electric sector is they would take immediate actions to 
protect their system. They do that now when they have anomalies 
on the grid. To the extent that you are talking about an 
emergency order issued by the Federal Government--and for our 
purposes, we think the analogous order is a section 202C order 
under the Federal Power Act where the Secretary of Energy finds 
that an emergency exists in the sector, and that might be 
because of a natural disaster. The hurricanes that hit in 
2005----
    Mr. Walden. Right.
    Mr. Kolevar [continuing]. Caused one. Or we have a 
reliability emergency, which was the case in the order that was 
issued for the local Mirin plant on the Potomac River. And the 
point is to say that where there is a need to act quickly with 
Federal orders speaking to the operation of a system, that 
there is a history of the Federal Government moving very 
quickly from administration to administration in preparing and 
releasing an order to the electric sector to respond 
accordingly.
    Mr. Walden. All right, Mr. Chairman, I know my time has 
expired, and I know we have been joined by my colleague from 
Illinois. So I would thank you for your indulgence.
    Mr. Boucher. Thank you very much, Mr. Walden. The gentleman 
from Illinois is welcomed to the subcommittee today, and Mr. 
Shimkus is recognized for 5 minutes.
    Mr. Shimkus. Thank you, Mr. Chairman. I was on the floor, 
as you know, fighting for coal. Thought you would appreciate 
that.
    Mr. Boucher. Did you bring some with you?
    Mr. Shimkus. Right here. It is good southern Illinois coal.
    Mr. Boucher. We talked about coal a lot in this 
subcommittee. I am not aware we have actually had it here 
before.
    Mr. Shimkus. Well ----
    Mr. Boucher. I thank the gentleman.
    Mr. Shimkus. We need a new good electric grid for all that 
Illinois coal to be used in electricity generation and spread 
to lower prices for all over the country, Chairman. I am 
unprepared to follow up with concise questions. So I will just 
yield back, Mr. Chairman.
    Mr. Boucher. Well, you will have your opportunity on the 
second panel, and I thank the gentleman. Mr. Kelliher, did you 
care to make another remark?
    Mr. Kelliher. Mr. Chairman, I just wanted to clarify my 
earlier comments about the sunset. I do think generally a 
sunset is inconsistent with the use of emergency powers, but 
FERC has, in our discussions with industry groups and with 
others, agreed to a sunset in the scenario where if there would 
be a Presidential finding or a finding by the Secretary, FERC 
would be directed to act. We have agreed to a 1-year sunset in 
the course of discussions in order to develop the broadest 
possible consensus. So I just wanted to clarify my comments on 
sunset.
    Mr. Boucher. And then on the question, Mr. Kelliher, of the 
basic powers that the statute would confer upon FERC, that 
would not be subject to a sunset? The basic requirements that 
the facilities connected to the grid take certain steps, all of 
them take certain steps as a basic protection against 
cybersecurity would not be subject to sunset. It would only be 
the emergency powers that are granted pursuant to special 
Federal finding, Presidential finding that there is a unique 
emergency that would be subject to some sunset?
    Mr. Kelliher. Yes sir, and the permanent standards that we 
have established under section 215 would not sunset, would not 
be affected. It would be the emergency actions, if you will.
    Mr. Boucher. Thank you for that clarification. It is very 
helpful. Mr. Kolevar, Mr. Kelliher, I know that both of you 
have urgent obligations elsewhere. We thank you for your 
attendance this morning, and you are excused.
    We now turn to our remaining witnesses on the panel who 
have already been introduced. And we would ask that your oral 
statements be kept to approximately 5 minutes, and that will 
leave us ample time for questions. Mr. Sergel, we will be happy 
to begin with you.

   STATEMENT OF RICHARD P. SERGEL, PRESIDENT, NORTH AMERICAN 
                ELECTRIC RELIABILITY CORPORATION

    Mr. Sergel. Thank you, Mr. Chairman and members of the 
subcommittee. My name is Rick Sergel, and I am the president of 
the North American Electrical Reliability Corporation, known 
here as NERC. I appreciate the opportunity to appear before you 
today on this very special day and on this very important 
topic.
    Let me be clear: the risk to the operation of the Nation's 
electricity system from potential intrusion through the 
Internet into computerized system control capabilities, AKA 
cybersecurity attacks, is real. It is not new. The Energy 
Policy Act of 2005 in which this committee played a major role 
and which, for the first time, authorized the promulgation and 
enforcement of mandatory reliability standards to protect the 
bulk power system defined reliability standards as specifically 
including cybersecurity protection. You identified that early 
on.
    But at the same time, the nature of the threat is new every 
day because it changes all the time. And as the entity 
entrusted with protecting the reliability of the North American 
bulk power system, subject to FERC oversight in the United 
States, NERC takes very seriously its responsibilities for 
protecting the cybersecurity of the North American bulk power 
system and meeting this ever-evolving threat.
    NERC now has the ability to enforce over 100 reliability 
standards, including nine dealing with cybersecurity. These 
standards have improved the reliability of the system, 
including its cybersecurity.
    However, cybersecurity threats are different from other 
reliability concerns. Potential threats can arise very quickly, 
requiring rapid, effective, and often confidential responses. 
Cybersecurity threats are more likely to be driven by 
intentional manipulation of devices as opposed to operational 
events in the bulk power system, such as lightning or equipment 
malfunctions.
    When there is an imminent cybersecurity threat, the 
response must be immediate. It must provide for confidential 
treatment of critical information, rapid threat analysis, and 
directed actions necessary to address the threat.
    NERC develops reliability standards using a transparent 
process that provides for full participation of interested 
parties and draws heavily on industry expertise, but this takes 
time, and it takes transparent exchanges of data and views that 
are not well suited for a cybersecurity threat.
    For these reasons, it is NERC's position that in the event 
of an imminent cybersecurity threat, the U.S. Government should 
be authorized to act immediately. With emergency 
responsibilities in the hand of government, NERC will be better 
able to do what it does best. That is develop and implement 
cybersecurity reliability standards that will harden the grid 
against intrusion and aid in responding effectively to 
cybersecurity incidents.
    NERC is committed to ensuring the reliability of the system 
and assuring that NERC's efforts will be complementary to those 
of government and industry with regard to cybersecurity 
protection. Finally, NERC is committed to assuring that there 
are no gaps and that responsibility is clear for execution of 
cybersecurity protection initiatives.
    With helpful guidance from Chairman Langevin, NERC has 
elevated the importance and the urgency of understanding and 
addressing cybersecurity threats. Key elements of this strategy 
include consolidating responsibility for coordination of all 
cybersecurity matters across all NERC activities into a single 
responsibility area lead by our new chief security officer, 
Michael Assante, who is here with me today.
    Improving our standards and developing processes to enable 
us to set standards on a more expedited basis are also 
important, as well as: raising the importance of the issue 
within the industry by engaging CEOs at the strategic and 
policy setting level; communicating more effectively with 
industry on critical infrastructure security matters; and 
coordinating effectively with the multiple government 
stakeholders involved in protecting the grid from cybersecurity 
attacks. You have talked about that several times this morning.
    In summary, cybersecurity threats to the bulk power system 
are real. Working with the government and industry, NERC is 
committed to addressing these threats; however, in order to 
address an imminent cybersecurity threat, the Federal 
Government must have emergency authority to act.
    NERC commends the subcommittee's efforts to develop 
appropriate emergency legislation and pledges to assist in this 
effort in any way that we can.
    Several times this morning, you have discussed our actions 
with respect to responding to Aurora, I think it is fair to say 
that when we acted with respect to Aurora by issuing our 
advisory, we did do some good. There has been progress as a 
result of sending that out, and we did the right thing to send 
it out. We also demonstrated, and for NERC painfully, the 
limitations of that process. There are limitations with respect 
to every aspect of it, including who did it go to. You 
mentioned numbers here today, 1,200, 1,500. I am uncomfortable 
with all of those because we know so much better who the 
individuals are that should get that advisory today than we did 
at that time.
    But the most important thing that we demonstrated was the 
limitation of trying to use a voluntary standards process and 
thinking that it could deal with an emergency threat. We 
recognize that there is a better way to do that and would ask 
you to establish legislation that can make that happen. Thank 
you very much.
    [The prepared statement of Mr. Sergel follows:]





    
    Mr. Boucher. Thank you very much, Mr. Sergel. Ms. Kelly.

 STATEMENT OF SUSAN N. KELLY, VICE PRESIDENT, POLICY ANALYSIS, 
     AND GENERAL COUNSEL, AMERICAN PUBLIC POWER ASSOCIATION

    Ms. Kelly. Thank you. I am Susan Kelly. I am the Vice 
President of Policy Analysis and the General Counsel of APPA. 
And I have with me Alan Mosher, who is our Senior Director of 
reliability. We represent the interests of more than 2,000 
publicly-owned electric systems in 49 States, and we serve 45 
million Americans.
    Those of you who know our industry know it is rare for our 
trade associations to speak with one voice on a federal energy 
policy issue, for legitimate reasons. We generally have very 
different views. But on the issue of protecting the bulk power 
system from cybersecurity emergencies, we have come together. 
APPA, the Canadian Electricity Association, the Edison Electric 
Institute, the Electric Consumers Resource Counsel, the 
Electric Power Supply Association, the Large Public Power 
Counsel, the National Association of Regulatory Utility 
Commissioners, the National Rural Electric Cooperative 
Association, and the Transmission Access Policy Study Group all 
support carefully crafted specific legislation as the basis to 
deal with the discrete issue of cyber system emergencies.
    We understand the seriousness of the issue and the need to 
deal with it, but at the same time, we think that legislation 
needs to be carefully crafted and narrowly drawn.
    The subcommittee has asked me to address several issues 
regarding the House discussion draft. The full answers are in 
my written testimony, and I will just hit the highlights here. 
The associations support the House discussion draft with the 
specific language options that the associations have proposed. 
As so modified, we think it provides the commission with 
sufficient authority to deal with cyber system security 
emergencies.
    The draft would fill a narrow gap in the mandatory 
reliability standards regime that has been set up under section 
215. Under that section, FERC has certified NERC as the ERO. 
With the help of hundreds of industry volunteers, NERC develops 
and enforces mandatory reliability standards for the bulk power 
system to keep our lights on. FERC oversees NERC's activities 
in the United States.
    But NERC's standards also apply to utilities in Canada and 
northern Mexico. This industry-based framework is working to 
assure the reliable planning and operation of the bulk power 
system.
    Cybersecurity emergencies present a special case for three 
different reasons. First, they require protection against 
deliberate, malicious attacks intended to disrupt bulk power 
system operations. Second, new and unforeseen threats can arise 
very quickly, leaving little time to react. Third, there is a 
need for confidentiality, at least until the initial measures 
are in place. For these reasons, the association supports 
specific legislation to deal with such emergencies, but it must 
not undermine the section 215 framework. That framework needs 
to be able to continue to develop and mature.
    The House discussion draft dovetails with section 215. It 
is limited to the users, owners, and operators of the bulk 
power system. As NERC has applied that term in practice with 
FERC's approval, retail customers, local distribution 
facilities, small generators, and small utilities are generally 
excluded from the scheme. Any new cybersecurity legislation 
should apply to the same universe of facilities and entities. 
To do otherwise would raise jurisdictional and implementation 
issues that could greatly complicate consideration of this 
legislation.
    State regulatory commissions regulate local distribution 
facilities. The state's authority to regulate the reliability 
of local distribution networks and service should be preserved.
    I was specifically asked to discuss the remaining 
differences between the associations and FERC on the House 
discussion draft. The associations negotiated at length with 
FERC staff regarding this draft. We reached closure on many 
issues. We thank the FERC staff for the constructive and 
positive attitude it displayed throughout the negotiations. We 
were unable to reach closure on three issues, but that should 
not undermine the very substantial progress that we did make.
    The three areas are, first, the definition of a 
cybersecurity threat, as you have already heard. The 
associations and FERC agreed on most elements of that 
definition, but we think our proposed language limits the 
legislation to true cybersecurity emergencies, meaning threats 
that have a substantial likelihood of happening and that could 
substantially disrupt operations if they do happen. FERC's 
proposed definition is broader.
    The second issue is the inclusion of national security 
threats. FERC wants to expand the legislation to include 
``other national security threats'' as well as cybersecurity 
threats. Our associations believe that other government 
entities, both State and Federal, have more direct 
responsibility in the general area of national security.
    Moreover, this additional authority is quite vague in its 
wording and potentially all-encompassing in nature. We think 
including this language would spark an intense discussion that 
could slow the legislation down.
    Third, the sunset of interim measures that FERC enacts. We 
negotiated at length with FERC on the sunset provisions, and we 
reached closure on all issues except one. And that has to do 
with whether the sunset after 1 year unless there is an 
indication from DOE or the President that it should continue, 
should apply to both the interim measures under subsection B 
and the emergency measures under subsection C. Subsection B 
deals with Aurora. Subsection C deals with what happens 
thereafter on a going forward basis. We think those measures 
and orders should be either time limited by their natures or 
replaced by NERC reliability standards because in the long run, 
we think the standards should deal with this. FERC doesn't 
agree with this position.
    We couldn't reach closure, but we do think that we made a 
lot of progress on legislation. As this process moves forward, 
we strongly urge Congress to retain the carefully crafted 
language that the associations support. We thank you very much, 
and we stand ready to answer questions.
    [The prepared statement of Ms. Kelly follows:]





    
    Mr. Boucher. Thank you very much, Ms. Kelly. Mr. Naumann.

   STATEMENT OF STEVEN T. NAUMANN, VICE PRESIDENT, WHOLESALE 
 MARKET DEVELOPMENT, GOVERNMENT AND ENVIRONMENTAL AFFAIRS AND 
               PUBLIC POLICY, EXELON CORPORATION

    Mr. Naumann. Thank you, Mr. Chairman, members of the 
subcommittee. My name is Steven Naumann. I am Vice President 
for Wholesale Market Development for Exelon Corporation. I 
serve as Vice Chairman of the Members Representative Committee 
of NERC. I am also accompanied by Mr. Dan Hill, Exelon Senior 
Vice President and Chief Information Officer. I appreciate the 
opportunity to testify about protecting the electric grid from 
cybersecurity threats.
    I am appearing today on behalf of the Edison Electric 
Institute and the Electric Power Supply Association, and Exelon 
is a member of both these groups. My testimony focuses 
primarily on the nature of cybersecurity threats to the bulk 
power electric system and the efforts of electric utilities to 
respond to those threats, but it will also touch on proposed 
legislation before the subcommittee.
    I want to start, however, by assuring the subcommittee that 
Exelon and other electric utilities take cybersecurity very 
seriously. Electric utilities routinely monitor for and detect 
electronic probing of their systems from a variety of sources, 
confirming the likelihood of real cybersecurity threats. 
However utilities and other private sector entities are at a 
disadvantage in assessing the degree and the urgency of 
possible or perceived cyber threats because of their limited 
access to intelligence possessed only by the government.
    Many cybersecurity issues are already being addressed under 
current law. Critical infrastructure protection standards have 
been implemented under section 215 of the Federal Power Act, 
which provide for mandatory and enforceable reliability rules.
    However, the current reliability regime has limitations in 
its ability to be responsive to emergencies requiring 
immediate, focused, and confidential actions. Therefore it is 
appropriate for Congress to provide FERC with explicit 
authority to address cybersecurity in certain emergency 
situations.
    Any new FERC authority should be complementary to the 
existing authorities under section 215 of the Federal Power 
Act, which rely on the industry expertise as the foundation for 
developing reliability standards. Legislation should clarify 
the respective roles, responsibilities, and procedures of the 
Federal government and of industry; be narrowly tailored to 
deal with real emergencies; and promote consultation with 
industry stakeholders and owner-operators of the bulk power 
system on remediation measures.
    The scope of damages that could result from a cybersecurity 
threat depends on the details of any particular incident, but a 
carefully planned cyber attack could have potentially serious 
consequences. In mitigating a particular cybersecurity 
vulnerability, electric utilities must also consider the 
potential consequences caused by any mitigation measure on safe 
and reliable utility operations.
    For these reasons, for ensuring the cybersecurity of the 
bulk power system, the best framework is one that utilizes the 
respective strengths of both the government and the electric 
companies. It is critically important that as much as possible, 
any cybersecurity framework provide for ongoing consultation 
and sharing of information between government agencies and 
utilities to the extent possible.
    In conclusion, I want to reassure the subcommittee that 
owners, operators, and users of the bulk power system take 
cybersecurity very seriously. We are actively engaged in 
addressing threats as they arise, and in employing specific 
strategies that make every reasonable effort to protect our 
cyber infrastructures and mitigate the risks of cyber threats.
    As the industry relies increasingly on electronic and 
computerized devices and connections and the nature of cyber 
threats continually evolves and becomes more complex, 
cybersecurity will remain a constant challenge. But we believe 
we are up to the task of building on the industry's historical 
and deep-rooted commitment to maintaining system reliability.
    I appreciate the opportunity to appear today and would be 
happy to answer any questions. Thank you.
    [The prepared statement of Mr. Naumann follows:]





    
    Mr. Boucher. Thank you very much, Mr. Naumann. Mr. Lawson.

STATEMENT OF BARRY R. LAWSON, MANAGER, POWER DELIVERY, NATIONAL 
             RURAL ELECTRIC COOPERATIVE ASSOCIATION

    Mr. Lawson. Chairman Boucher, Ranking Member Upton, and 
members of the subcommittee, thank you for the opportunity to 
testify today on cybersecurity issues and their potential 
impacts on the bulk power system. My name is Barry Lawson, and 
I am the manager of power delivery for the National Rural 
Electric Cooperative Association. NRECA is a trade association 
consisting of nearly 1,000 cooperatives, providing electricity 
to 41 million consumers in 47 States.
    One of my primary areas of responsibility at NRECA is 
reliability, including cybersecurity. NRECA and its members 
understand the importance of cybersecurity. To arrive at the 
draft bill before you today, NRECA has worked closely with its 
industry counterparts and with FERC and NERC.
    NRECA commends FERC under Chairman Kelliher's leadership 
for its proactive outreach on the topics we are discussing 
today. Provisions in this draft bill can provide swift, 
effective emergency protection to the bulk power system in 
those limited circumstances when NERC cannot. NRECA supports 
the House discussion draft with the specific language options 
proposed by the associations.
    NRECA has been actively engaged with NERC from its origin 
over 35 years ago, to its transition into the industry ERO and 
as it issues reliability standards, including the cybersecurity 
standards FERC approved earlier this year.
    In January 2008, I began a 2-year chairmanship of the NERC 
critical infrastructure protection committee. The CIPC is a 
NERC standing committee that advises the NERC board of trustees 
on issues related to critical infrastructure protection 
including cybersecurity. My position on the CIPC requires me to 
interact with NERC, DOE, and DHS staff on an ongoing basis and 
contributes to the viewpoints I will share with you today.
    As both a participant in NERC and an interested observer of 
its role as the ERO, NRECA believes that the self-regulatory 
model is the best means of maintaining a strong, reliable bulk 
power system. The model recognizes that the electric industry 
addresses events and threats every day, including those posed 
by natural disasters, vandalism, and equipment failures.
    Last fall, many Members of Congress and the public were 
introduced to cybersecurity when news outlets ran a story and 
video showing a small electric generator that was damaged 
during a test. The news report said a government lab had 
demonstrated that computer hackers could cause physical damage 
to equipment through cyber means. The government labeled this 
vulnerability Aurora.
    Today, almost no one outside the intelligence community has 
been able to examine the technical and engineering details of 
the Aurora vulnerability. Key information about the 
vulnerability is still classified.
    Members of the NERC CIPC first received limited, 
unclassified information about the Aurora vulnerability from 
DHS in March of 2007. We were strictly prohibited from sharing 
this information, meaning I could not inform member 
cooperatives.
    In June 2007, DHS placed limited information and mitigation 
measures into a document that NERC utilized as an industry 
advisory. Although these measures did not reveal specifics 
about the vulnerability, cooperatives and other utilities that 
own or operate bulk power system facilities used their 
collective expertise to implement the measures on their 
individual systems.
    Aurora demonstrated the need for utilities to receive more 
timely and detailed information from intelligence sources about 
threats and vulnerabilities and their engineering, cyber, and 
mechanical implications.
    Under the existing rules and procedures created by NERC and 
approved by FERC, NERC can deal with a wide range of cyber 
threats. NERC's standards development process can sometimes be 
lengthy to accommodate the highly technical nature of the 
subject matter. But it can also be shortened when expediency 
demands.
    NERC has two special procedures for developing standards 
more quickly. The urgent action process was developed to 
approve standards within a few months, and the emergency action 
process was developed to approve standards within a few weeks. 
Both processes should be used whenever needed for the expedient 
development of reliability standards, including those related 
to cybersecurity.
    As Mr. Sergel explained to you, NERC recently wrote its 
board of trustees and industry stakeholders to explain changes 
and improvements it plans regarding its focus on cybersecurity. 
This NERC initiative is critically important to the reliability 
of the bulk power system, and we support these efforts.
    NRECA is working closely with its counterparts across the 
industry and agrees there is potential for some cyber threats 
and vulnerabilities so imminent and substantial that even 
revised and strengthened NERC procedures cannot assure the 
timely distribution of information and direction to industry to 
effectuate an adequate industry response to protect the bulk 
power system.
    In those limited circumstances when the President of the 
United States has determined emergency action is warranted, 
FERC should be able, after consulting industry and government 
authorities in Canada and Mexico to issue, orders addressing 
the emergency.
    In conclusion, NRECA supports the House discussion draft 
with the specific language options proposed by the 
associations. Like our industry counterparts, NRECA is prepared 
to assist the subcommittee and full committee with advancing 
this legislation. NRECA also looks forward to continued 
cooperation with FERC.
    I am happy to answer any questions you have.
    [The prepared statement of Mr. Lawson follows:]





    
    Mr. Boucher. Thank you very much, Mr. Lawson, and we thank 
each of the witnesses for their testimony here today. Mr. 
Naumann, maybe you can answer the question about cost of 
implementation. Using the NERC advisory as the standard, 
realizing that Mr. Kelliher is suggesting that it probably 
didn't go far enough and that he thinks to completely address 
the Aurora vulnerability that steps beyond that should be 
taken.
    But leaving that aside, just use the NERC advisory as the 
foundation. What would it cost a typical investor-owned utility 
to comply with that NERC advisory?
    Mr. Naumann. Mr. Chairman, could I have one second to 
consult with Mr. Hill who probably can get me that answer?
    Mr. Boucher. In the interest of getting the information, of 
course.
    Mr. Naumann. Thank you, Mr. Chairman. Mr. Chairman, to 
comply with the Aurora vulnerability as we were told, and we 
believe we are fully compliant, was a relatively minor cost for 
across the entire Exelon Company, and that included the nuclear 
stations, which technically were not part of the advisory.
    Having said that, we understand from listening to Chairman 
Kelliher that they believe that there are additional 
vulnerabilities too that were not covered by the advisory and 
that we don't really know about. It would be very hard to 
estimate the cost without knowing what the vulnerability is, 
nor what the recommended mitigation is and----
    Mr. Boucher. Which is why I phrased the question only in 
terms of the NERC advisory.
    Mr. Naumann. Yes, sir.
    Mr. Boucher. Well, I am pleased by your answer that it is a 
relatively minor cost. Is there a dollar figure attached to 
that relatively minor estimate?
    Mr. Naumann. We don't have it now. If you want, we can try 
to obtain that.
    Mr. Boucher. It would be helpful. If you could just send us 
a letter addressed to the subcommittee following this hearing 
that states what you think the dollar cost to Exelon would have 
been across your company to meet the recommended security 
measures contained in the NERC advisory. That would be very 
helpful to us.
    Let me extend that question to others on the panel who 
might want to respond on behalf of their associations. Ms. 
Kelly, Mr. Lawson, do you have any answer to what the cost per 
covered entity would be?
    Ms. Kelly. I do not have any such answer for you at this 
time. We could obviously provide that for the record.
    Mr. Boucher. It would be helpful if you could. Mr. Lawson.
    Ms. Kelly. And we will look to primarily the three 
utilities that came in and met, from our membership, with FERC 
to discuss the vulnerability and what they had done. But I 
would like to state, and I think Mr. Lawson may be able to 
elaborate, that there really is a question even as to the NERC 
advisory as to what constituted compliance and it was not 
necessarily as clear as it might have been. And so, there was 
certain--we weren't sure what bar we were being asked to meet. 
And I think that was a concern.
    Mr. Boucher. Well, I am trying to get as broad an estimate 
as possible. We are in the posture now of statutory drafting 
where we are going to be making some decisions in the very near 
term about how we empower FERC to move forward with its 
rulemaking on this subject.
    Now, a key part of those considerations will be timeframes 
under which we expect that actions will be taken, actions taken 
by the FERC, yet advancing its rulemaking process to 
conclusion. And then actions that would be taken by the covered 
entities to comply with the rules that FERC puts forward. We 
may or may not have specifications within the statute that 
address the latter part of that. But having some understanding 
of cost and to the extent that you would want to comment on it, 
other kinds of implementation challenges that you might foresee 
would assist us in that.
    Now, as Mr. Naumann pointed out, I fully realize that 
making definitive decisions about this are difficult at this 
stage because we really don't know what FERC would choose to do 
beyond the NERC advisory in terms of steps that would be 
required for covered entities. So probably our decision will be 
to simply empower FERC to set the timeframes for compliance by 
the covered entities.
    It would be difficult for us to establish that statutorily, 
but there may be those on our panel who want to do that. So 
having some information about what the cost to you would be, 
what other implementation issues you see, just using the NERC 
advisory itself as a foundation would be helpful to us.
    Mr. Lawson, would you have any comment about this?
    Mr. Lawson. Similar to Susan Kelly's comments in that we 
don't have cost info from the individual cooperatives. I think 
the best we could do would be to talk to the cooperatives that 
did meet with FERC on the Aurora advisory and see if they have 
that kind of information that they can provide us.
    It is important to understand that cost can vary depending 
on the scope of the assets at each utility. It is going to be 
very difficult to have a typical cost. And also what I would be 
asking the cooperatives would be their cost associated with the 
language specifically in the NERC advisory.
    Mr. Boucher. OK, that would be fine. Let me move to one 
other question, and again I will ask you as I have asked Mr. 
Kelliher to be somewhat brief in this answer. I would be 
interested in your views, succinctly spoken, on three 
questions. Number one, do you believe that the authority that 
we will be conferring on the FERC to guard against 
cybersecurity attacks should go beyond the cybersecurity and 
actually cover physical attacks that might be made on the 
covered facilities? That is number one.
    Number two, address, if you will, the question of sunsets 
on FERC actions, FERC orders. In the first category would be 
the basic steps that all covered entities would have to take in 
order to address the Aurora vulnerability specifically. I can 
tell you my own view is that ought to be permanent in nature. 
But if you disagree with that, I would like to hear a reason 
why.
    And the second category is steps that would have to be 
taken by the covered entities under FERC order pursuant to a 
presidentially declared unique emergency. Should there be a 
sunset on those orders? And if so, what should be the 
conditions that trigger the sunset?
    And then number three, what should be the basic scope of 
the authority that we extend to FERC with regard to the covered 
entities themselves? Should it just be the continental United 
States bulk power system? Or should it extend to Alaska and 
Hawaii and their separate electrical systems? And should it 
extend to the distribution systems in our larger cities? And I 
know, Ms. Kelly, you addressed that at some length in your 
testimony, but I would like to hear what other witnesses have 
to say.
    So in view of the fact that Mr. Shimkus is eagerly awaiting 
his question time, let me ask you to be as succinct as you can 
in providing that answer. And who would like to begin? Mr. 
Sergel?
    Mr. Sergel. Address a couple of those for you. Our role 
here is to make sure that we can seamlessly and effectively 
implement whatever legislation you pass and do that and further 
the good work that was established when you enacted section 215 
and created an ERO. So that is where I come from.
    I think with respect to how broad is the authority, the 
highest priority is the bulk power system. That doesn't mean 
there aren't important things in the distribution system. There 
are, and let me be clear to the extent that the bill doesn't 
cover that, that will leave open something. That will make me 
uncomfortable that that is uncovered, but the higher priority 
is the bulk power system.
    Hawaii and Alaska are special considerations, and maybe 
that is independent of distribution. And potentially you could 
look at it that way because that is even a greater concern.
    With respect to the sunset provisions, we are going to be 
able to implement that successfully regardless of what those 
provisions are. With respect to the authority and how it is 
granted, we will seek to implement it effectively as written. 
But the clearer that authority is, and the better that that is 
laid out, certainly we will be able to implement it better.
    And finally I would say with respect to--and I think the 
language in the draft that I looked at was ``and other national 
security treats.'' Again with respect to that, clearly 
cybersecurity is the highest priority here. It is the simple 
one that is most important. It is what we have been focusing 
on. It is not to minimize other national security here in this 
context, but we understand those better. We have other ways of 
doing those things. It is not the highest priority for me.
    Mr. Boucher. Thank you, Mr. Sergel. Ms. Kelly.
    Ms. Kelly. Thank you. Your first question had to do with 
the physical attacks, and I will start there. The association 
position is no, that they should not be covered in this 
legislation and in part for the reason that Mr. Sergel just 
stated is that there are other governmental authorities and 
entities. And I would just note the FBI, the Department of 
Energy, state and local law enforcement that are all involved 
in those activities. And we already have to answer to a 
substantial number of masters in that regard.
    Second, the sunset question you asked. The association 
position is that that should apply to both the interim 
authorities that are exercised under B, and the emergency 
authorities under C. Our reasoning for that was that--I am 
sorry?
    Mr. Boucher. Go ahead.
    Ms. Kelly. OK, our reasoning behind that was that we 
regarded this as stopgap emergency authority for events that 
would either be time limited and thus would expire by their own 
terms or should be replaced by NERC set reliability standards. 
For that reason, we wanted the sunset to apply in both cases. 
We negotiated with the FERC over that. They did not like the 
so-called hard sunset. We reached, you know, OK, well, we 
understand that position. And for that reason, we agreed that 
it could continue past the year so long as there was a 
determination that a problem was still existing. Our thought 
was in most cases that NERC reliability standards should be in 
place by the end of that year, and therefore it would be a moot 
question.
    But we understand that there is a difference of opinion, 
and that is legitimate.
    Mr. Boucher. Well, with regard to these interim standards 
that are designed to address the Aurora vulnerability, the 
Aurora vulnerability is not going to go away as a security 
threat. And steps will need to be taken therefore on an ongoing 
basis to address that threat. And I gather from your testimony 
that you are suggesting that the FERC should not be the 
perpetual agency to impose the requirements for what those 
steps ought to be.
    And I gather from what you are saying that you think that 
the NERC, through its consensus-based rulemaking process, 
should take a hand off of that authority after some period of 
time. Have I correctly interpreted your comments?
    Ms. Kelly. I think that is, yes, that is correct. Our view 
is that we understand the need for FERC to step in to act 
quickly, but we believe that that needs to then be run through 
the NERC standard setting process. In part, one of the reasons 
is, we in the industry, we think we actually have some 
expertise to offer on the best way to implement these 
standards.
    And we are also concerned about cost. Let me just say that. 
And we want to make sure that these standards, you know, 
especially if they are going to be in effect for a long time, 
are done in the most cost effective manner possible. And that 
is one of the things that the industry can bring to bear. Its 
expertise can come to bear during the NERC standard setting 
process. So we are not kicking about FERC getting this 
authority under B to, you know, act to do this rulemaking on an 
expedited basis, but we are saying it should then be handed off 
to NERC.
    Mr. Boucher. All right, thank you. That is very clear. Mr. 
Naumann?
    Mr. Naumann. Yes, Mr. Chairman, on your first question, the 
draft now has the words ``other national security threats.'' We 
believe that is an extremely vague term and are uncomfortable 
with that. You also mentioned, rather than that, physical 
threats. I agree with Mr. Sergel and Ms. Kelly, that is a lower 
priority, but if, in fact, there is going to be some additional 
authority beyond cyber, it should be very much tighter language 
than overall other national security threats, which could be 
interpreted as having 90-day stockpile of coal or something 
like that, which we think goes way beyond what----
    Mr. Boucher. All right, that point is duly noted.
    Mr. Naumann [continuing]. Immediate intent. And as far as 
the sunset, I agree with Ms. Kelly. To the extent there are 
interim measures for Aurora, to the extent they can be and 
should be replaced by permanent standards done through industry 
expertise, that would be our preference. And with respect to 
the emergency action, again I would prefer that if the 
requirements still remain, then the President should reissue 
the directive.
    As far as the authority on Alaska and Hawaii, we understand 
that is a special situation. There are very important military 
installations there that somehow would need to be taken care 
of, but they are really not part of the schemed that we are 
dealing with.
    Mr. Boucher. Major distribution systems in the cities?
    Mr. Naumann. That is correct. Major distribution system in 
the city gets very complicated. We would hope that that could 
be done rather through consultation with the state regulatory 
agencies who very well understand those systems, which New York 
is somewhat unique. D.C. is somewhat unique. Chicago is 
completely different from those systems and served differently. 
And where do you get the cutoff on the distribution if you 
don't go all the way? Thank you, Mr. Chairman.
    Mr. Boucher. All right, thank you. Mr. Lawson?
    Mr. Lawson. I agree with the comments you have heard from 
the other panelists. In addition, with regard to going beyond 
cybersecurity in the legislation, to reiterate what Mr. Naumann 
stated about the vagueness and broadness of the definition that 
we were provided, that was problematic, and we would very much 
want that tightened up before we could agree to anything.
    Also it is very important to recognize that the industry 
has been dealing with physical threats for decades and has done 
an excellent job dealing with physical threats. Cyber threats 
are the new issues here. That is where the new focus should be, 
and that is why this legislation should focus on the cyber 
threats. The industry is doing a very good job with dealing 
with the physical threats and has for a long, long time.
    With regard to the sunsets, if an order or a directive 
needs to continue, there are provisions in the legislation for 
that, for a certain period of time. However, other than the 
order or directive, we want the industry, through NERC's 
standards development process, to take care of those issues 
with standards. And as I mentioned in my oral statement about 
the expedited standards development processes that NERC does 
have, we think that would be an excellent vehicle for 
addressing some of those issues. With regard to the scope going 
to the distribution side of things or Alaska and Hawaii, with 
regard to distribution, of course, the states and local 
authorities have many regulatory authorities in those areas.
    It is also important to realize that the bulk power system 
is where you can have the larger impacts. The distribution 
system is local, and it is broken up into many small pieces. 
And those impacts are often shorter in timeframe and much more 
limited in the numbers of meters that are not in service 
because of an incident.
    So we think those are reasons why this legislation should 
focus on the bulk power system.
    Mr. Boucher. Mr. Lawson, thank you very much. I would like 
to, at this time, call on the gentleman from Illinois, Mr. 
Shimkus, for 5 minutes.
    Mr. Shimkus. Thank you, Mr. Chairman. Mr. Naumann, please 
explain how your company has prepared itself for the tested 
and--I am sorry--and tested its response to cybersecurity 
threats.
    Mr. Naumann. Thank you, Congressman. In my testimony, I 
referenced defense and depth, and that includes--and I guess I 
am going to use a number of technical words that we do. We 
segregate the networks that we have. We have a program of patch 
management, much like in a way to say you get updates on your 
Microsoft software occasionally when there is a vulnerability 
found. We do this on a very routine basis, sometimes on an 
emergency basis.
    We have intrusion detection sensors that we maintain on our 
network systems. We have security event monitoring, 
vulnerability testing. One of the things I mentioned in my 
testimony is we hire outside firms to do penetration testing. 
In other words, they act as the red team to try to break into 
our system, and we then learn from what they tell us.
    We deal all the time with security vendors, with the FBI, 
with local law enforcement. And lastly, we have encrypted our 
data even to the point of, for example, the laptop that I carry 
with me. The data is encrypted so that if it is stolen, the 
data is worthless to somebody.
    Those are some of the measures that we take, Mr.--
    Mr. Shimkus. This is a real pressing issue, and I know, 
based upon the Aurora event and others, I follow the captive 
nations, the former captive nations of the eastern bloc 
countries. Russia conducted a cyber attack against Estonia, I 
guess, a year and a half ago. The prelude into the intervention 
into Georgia was a cyber attack there. I mean so this is real 
stuff, and that is why it is important. And I appreciate the 
chairman identifying it as so.
    For you again, Mr. Naumann. What resources and/or 
information would make your efforts to defend against 
cybersecurity threats more effective?
    Mr. Naumann. Congressman, probably the most important thing 
is access to information. As I said, we are actively engaged in 
protecting our system against those threats that we know and 
those threats that we can try to figure out.
    We understand for good security purposes, there is 
information that we don't have access to, and there needs to be 
a way that the industry can work with the government and the 
government can work with the industry so that we can have 
access to that information so that we understand what the 
vulnerabilities are and so that we can agree on mitigation 
measures to do that. Without that, we feel like we are fighting 
this battle with one hand tied behind our backs.
    Mr. Shimkus. Yes, let me ask about the emergency and 
interim authority issues and with our border friends, the 
Canadians and Mexico. And what do we think their response would 
be? And is there some optimism? And this is for the panel as a 
whole, so why don't we just start from left to right. My left, 
your right.
    Mr. Sergel. We work very effectively with our partners in 
Canada and to a lesser extent with Mexico as well. NERC has a 
relationship with each of the eight provinces as they have 
decentralized responsibility for this in Canada, and those 
relationships are different.
    I think the single most important thing to keep that 
relationship positive as it is today is to separate the 
standard setting process, which is what we do through section 
215 as enabled by you in the United States, to keep that 
separated from the emergency measures that one would take 
because of an imminent threat. As long as we keep those 
separate, then I think we will be successful.
    So we support the bill, support a bill here to take 
emergency action. Lots of discussion of that this morning. 
There needs to be a handoff of that to the standards process. 
If we do that, then we will work very effectively with our 
neighbors.
    Ms. Kelly. I would just like to note that the Canadian 
Electricity Association submitted a statement for the record, 
which I would recommend for your review. I would note also that 
I was somewhat disturbed by Mr. Kolevar's discussion about 
giving FERC interim standards writing authority. That is the 
first that we have heard of that. It goes exactly to the issue 
that Mr. Sergel just identified, which is the way the 215 
scheme is set up is that industry and NERC together write the 
standards. That is not a government activity.
    So that, I think, in particular would alarm the Canadians 
because they have to be--they have to abide by NERC's 
standards. So in effect, what is happening there is they are 
being asked to abide by standards written by a Federal 
Government U.S. agency. And that is a problem, I believe. I 
will let them speak for themselves, but just based upon what I 
know during our negotiations, I think that would be a concern.
    Mr. Shimkus. And you all can chime in if you want, but it 
is probably not a concern that you all would have. So what are 
our vulnerabilities? Is our grid adequately protected by 
firewalls and passwords? Will a one-time cyber reliability rule 
solve the problem? Or will we have to constantly change and 
upgrade to keep up with the changing threats? Then, this is a 
one over the world question. Won't government authority to 
constantly change protections and systems risk express an 
unpredictable cost on system operators?
    Well, it is really for all because the question is, as we 
firewall and protect, bad guys evolve, which is for you. But 
then the question is for industry or for the rural, at what 
cost? How do we manage both, and we try to get it as right as 
we can?
    Mr. Sergel. I think standards can take you just so far 
because there is an opportunity to harden the system, to defend 
against those things which we understand like passwords and 
firewalls and have those be as effective as possible. We have 
done that with the standards in the past. They were developed 
cooperatively with the industry, and that process needs to 
evolve.
    But I think it also suggests that a standard is out there 
to be seen. Everyone knows what we are doing, how we are 
proposing to implement it, and therefore, it is suggested that 
we have to be constantly vigilant and adapt as new problems 
arise.
    Mr. Shimkus. Thank you. Ms. Kelly.
    Ms. Kelly. I would just add to that that we are concerned 
on an ongoing basis about the cost of compliance. There is no 
question about that. That was one of the reasons why our 
definition of cybersecurity threat is a little tighter than 
that that the commission supports because, for example, we 
would not want to be spending unknown amounts of time on new 
hardware, new software, new hardening, that kind of thing, for 
something which may not have a substantial possibility of 
disrupting the operation of the bulk power system.
    And since theirs is phrased in the disjunctive, I believe 
that could possibly be the case. So I just note that for you.
    Mr. Shimkus. OK, thank you. Mr. Naumann.
    Mr. Naumann. Congressman, I have two things to add. The 
first is we are always on our own trying to protect against new 
threats and upgrading our equipment. And, as Mr. Sergel said, a 
standard can only take you so far when something new is 
discovered.
    Mr. Shimkus. And plus you have the risk of great loss.
    Mr. Naumann. We have our self-interest here.
    Mr. Shimkus. Right.
    Mr. Naumann. But what I would say is that that is where the 
consultation between the government agencies and the users, 
owners, and operators is useful in both working out the 
mitigation and dealing with the cost effectiveness as we do 
have experience in how to do this and we will do it. Obviously 
we don't want an incident, but to work together to try to 
design the best way to do this and protect the electric power 
system.
    Mr. Shimkus. And Mr. Lawson.
    Mr. Lawson. Just to add, I think it is important to 
understand that utilities deal with cyber issues every day 
because it is important to their business, and it is important 
to the service they are providing to their customers. It is not 
something that we deal with only because we have cybersecurity 
standards. It is because it is the right thing to do. It is the 
important thing to do.
    Mr. Shimkus. That is all I have, Mr. Chairman. Thank you.
    Mr. Boucher. Thank you very much, Mr. Shimkus. I am going 
to ask unanimous consent--Mr. Shimkus and Mr. Upton have 
already approved this--that we insert a----
    Mr. Shimkus. You don't want me messing with you, right?
    Mr. Boucher. Well, yes, that was the implication of the 
question. These are statements from the National Association of 
Regulatory Utility Commissioners, the Electric Consumers 
Resource Counsel, and the Canadian Electricity Association, all 
addressing the issue before the subcommittee today, to be 
included in the record. Without objection, so ordered.
    [The information appears at the conclusion of the hearing.]
    Mr. Boucher. That was perfect. Thank you so much.
    I want to thank our witnesses for their attendance today, 
for their very helpful testimony. We appreciate the time you 
have taken with us. We will look forward to your submission of 
the information that you have said you will supply to us.
    And as we take further steps in this process, we will be 
consulting with you. With that and thanks to the witnesses, 
this hearing is adjourned.
    [Whereupon, at 1:27 p.m., the subcommittee was adjourned.]
    [Material submitted for inclusion in the record follows:]

               Prepared statement of Hon. John D. Dingell

    Today's hearing focuses on how to help ensure the 
reliability of our Nation's electricity grid in the face of its 
vulnerabilities to cybersecurity attacks.
    A successful remote cyber attack on a power plant's utility 
control systems could do more than cause a brief black out or 
brown out. The Idaho National Laboratories has shown how a 
hacker can remotely turn a large generator into a smoldering 
piece of scrap metal in minutes. Known as the ``Aurora'' 
Vulnerability, this type of attack could destroy generating 
equipment and impair the generation and delivery of electricity 
across North America for weeks or months, its consequences 
cascading on consumers, our economy, our health care system, 
and our national defense assets.
    These concerns are more than theoretical. A 2005 Federal 
Energy Regulatory Commission staff report identified 20 
separate domestic and foreign instances of cyber attacks on 
electricity systems including hydroelectric dams and nuclear 
power plants. The Defense Science Board reports that U.S. grid 
control systems are continuously probed electronically, and 
``there have been numerous attempted attacks on the Supervisory 
Control and Data Acquisition (SCADA) systems that operate the 
grid.''
    We have been fortunate that the United States has not 
experienced a major power outage from a cyber attack. However, 
the CIA has identified cyber attacks on the electrical systems 
in major cities overseas which caused significant blackouts. 
CIA has reported that criminal enterprises have broken into 
utility control systems overseas as part of extortion schemes.
    Since many of these same control systems used in the United 
States are also used in plants around the world, the knowledge 
about how these systems work is globalized.
    In response to Department of Homeland Security's warnings 
about the Aurora vulnerability, the North American Electric 
Reliability Corporation (NERC) issued an advisory in June 2007 
which outlined immediate and longer term mitigation measures 
for utilities. Compliance, however, was voluntary.
    A FERC audit of 30 utilities found that only two or three 
had adequately mitigated the Aurora vulnerability and the vast 
majority had not complied with NERC's advisory. For some of the 
Nation's largest utilities, there has been woeful inaction some 
15 months later.
    As the Electricity Reliability Organization designated 
under section 215 of the Energy Policy Act of 2005, NERC is 
developing consensus cyber protection standards. However, this 
process is not responsive to the immediacy of the vulnerability 
or the threat. Both the Department of Energy and FERC have 
urged that Congress extend Federal authority to take emergency 
actions to protect the grid.
    I commend Chairman Boucher for holding this hearing, and 
tackling the job of building a bipartisan consensus on 
legislation which will ensure that the Federal Government has 
the necessary powers to intervene when there are emergencies 
that threaten our Nation's electricity supply.
    I welcome Representative Jim Langevin, Chairman of the 
Homeland Security Committee's Subcommittee on Emerging Threats, 
Cybersecurity and Science and Technology, and commend him for 
his leadership and cooperation in working with this Committee 
on cyber vulnerabilities in the utility grid.
    I also welcome our panel of witnesses. I hope they can 
inform us on whether emergency powers should extend beyond the 
Bulk Power System to utility systems in Alaska, Hawaii, or 
Guam, and to what extent these powers should also be able to 
reach critical distribution systems in places like the District 
of Columbia or New York City. We want to be sure that 
legislation addresses threats to the electrical system, and 
that the Federal Government is not improperly hobbled by legal 
and jurisdictional boundaries in the case of an emergency.
                              ----------                              







  Richard P. Sergel, Responses to Questions from Hon. John D. Dingell

    Question No. 1: The Federal Energy Regulatory Commission 
(FERC) testified that 23 of 30 utilities that it audited had 
not complied with the June 2007 North American Electric 
Reliability Corporation (NERC) Advisory on the Aurora 
Vulnerability. To what factors do you attribute this level of 
compliance?
    Response: NERC has not, at this time, been given access to 
the results of FERC's evaluation of industry efforts to comply 
with the mitigation measures set out in NERC's June 2007 
Advisory, beyond what was discussed publicly at the September 
11 hearing. Therefore, NERC is not in a position to analyze 
those results. Based on discussions with industry 
representatives, NERC believes that one important factor 
affecting the ability of the industry to implement mitigation 
measures is that industry recipients require more detailed and 
comprehensive engineering data on specific vulnerabilities than 
could be provided in NERC's Aurora Advisory. Efforts are 
underway to close this gap while managing the risk of 
disclosing a ``road map'' to potential adversaries.
    Question No. 2: Do you believe FERC's audit results are 
representative of the extent of compliance by most utilities 
with the NERC Advisory?
    Response: As stated in the response to question number one, 
NERC has not, at this time, been given access to specific 
responses made by utilities during the FERC interview process, 
nor are we aware of the criteria used to determine the adequacy 
of implemented mitigation measures. In his testimony, Chairman 
Kelliher described a detailed interview process by FERC staff 
with a sampling of geographically dispersed utilities of 
different sizes across the contiguous 48 states. We have no 
reason to believe that the results of that process are not 
likely to be representative of the extent of compliance by most 
utilities with the Aurora mitigation measures.
    Question No. 3: FERC indicated that some utilities which 
had complied with the NERC Advisory were still vulnerable to 
Aurora. Please explain whether the NERC Advisory was inadequate 
to fully guide utilities in mitigating the Aurora 
Vulnerability. Please explain whether NERC has modified its 
advisory to address any deficiencies?
    Response: The Aurora mitigation measures included in NERC's 
Advisory were assembled through a process that included 
researchers involved in the government's vulnerability 
demonstration project and industry subject matter experts. 
Clear challenges were presented in the need to utilize only 
information approved for distribution and the identification of 
measures that could be applied to a variety of different cases 
and unique settings. Industry recipients generally report that 
they require more detailed and comprehensive engineering data 
on specific vulnerabilities than was provided in NERC's Aurora 
Advisory in order to fully address a vulnerability. NERC has 
not, at this time, received additional information from the 
Federal government regarding the properties of the 
vulnerability or on any threat intent on exploiting the 
vulnerability. Consequently NERC is not, at this time, in a 
position to modify the Advisory.
    Question No. 4: Who should have authority to implement 
emergency requirements: the Department of Energy or FERC?
    Response: As I testified at the September 11 hearing, NERC 
supports legislation granting the U.S. federal government 
authority to act immediately in the event of an imminent cyber 
security threat. NERC has a strong working relationship with 
both the Department of Energy and the FERC. Under the Energy 
Policy Act of 2005, FERC certified NERC as the Electric 
Reliability Organization to develop and enforce mandatory 
reliability standards to protect and improve the reliability of 
the bulk power system. NERC works closely with FERC in 
implementing the statutory mandate. NERC also works closely 
with the Department of Energy, as the Sector Specific Agency 
for Energy, in the execution of NERC's responsibilities as the 
Electricity Sector Information Sharing and Analysis Center (ES-
ISAC). NERC was designated as the electricity sector 
coordinator for critical infrastructure protection and has 
served in that role for several years. The agency assigned 
responsibility for acting in emergency situations should 
consult with NERC and industry experts to the maximum extent 
feasible in carrying out any emergency authority.
    Question No. 5: How effective have Canadian utilities been 
in complying with the NERC Advisory on the Aurora 
Vulnerability? Has there been a governmental audit of 
compliance in Canada similar to that conducted by FERC on the 
Aurora Vulnerability?
    Response: Canadian entities participate in NERC committees 
including the Critical Infrastructure Protection Committee 
(CIPC), and also receive information from the ES-ISAC. When the 
Advisory was sent to NERC-registered Canadian entities the 
Canadian Electricity Association (CEA) requested and was 
granted permission to post the Advisory and the attached 
questionnaire on CEA's secure Intranet for CIP with a request 
that organizations review and complete it as appropriate. We 
are told that this was to ensure a broader dissemination of the 
Advisory because a limited number of Canadian organizations 
were on the distribution list to which the Advisory was sent 
directly.
    Based on our discussions with Canadian utilities and 
Canadian government officials, NERC understands that when 
information about the preliminary results of the Idaho National 
Laboratory simulation was brought to the attention of the 
Canadian Cyber Incident Response Centre of Public Safety 
Canada, the Centre met with other government agencies with 
responsibility in the area to determine appropriate action. It 
was decided that the Energy Infrastructure Protection Division 
of Natural Resources Canada should arrange a meeting with 
energy and utilities stakeholders. In March 2007 a detailed 
briefing was convened for Canadian energy interests including 
electricity, oil and gas, and nuclear. Officials from Public 
Safety Canada, Natural Resources Canada, the RCMP and the 
Integrated Threat Assessment Centre participated and 
disseminated the DHS warning and information package. There was 
also a briefing of Canadian utility participants by staff from 
the Idaho National Laboratory. Industry participants had 
security clearances and received a confidential briefing that 
they say helped them understand the nature of the problem and 
the appropriate action to take.
    The Advisory and identification and mitigation of 
vulnerabilities were subsequently discussed at two CEA Security 
and Critical Infrastructure Committee meetings. In addition, 
there were further contacts between Canadian government 
officials and DOE and DHS. Public Safety Canada advises that 
they coordinated actions with DHS, including the provision of 
sector briefings, technical advice, analysis activities at 
Idaho National Laboratory, and public communications 
strategies. To NERC's knowledge, no audit has been undertaken 
by Canadian government agencies of actions taken by utilities.
                              ----------                              







   Barry R. Lawson, Responses to Questions from Hon. Edward J. Markey

    Question No. 1: There was a suggestion at the hearing that 
one way to address the cyber-security of the grid system beyond 
that of the bulk power system would be through a consultation 
process. If the cyber threat to the bulk power system demands 
an increased federal authority in order to permit an immediate 
response to any security incident or threat thereof, how would 
a consultation process provide the same level of protection for 
those on the grid beyond the bulk power system? If it would 
not, why is it appropriate to settle for only limited 
protection of the grid?
    Response:
    A consultation process is appropriate regarding electric 
system facilities that are beyond the bulk power system. These 
facilities are in most cases considered to be the distribution 
system. The bulk power system is significantly different from 
the distribution system. There are clear reasons why these 
distribution facilities should not be treated the same as the 
bulk power system in cyber security legislation.
     Giving FERC or any other federal agency 
jurisdiction over the distribution elements of the electric 
utility system causes complications with state and local 
regulatory authorities.
    o Most distribution facilities are beyond the jurisdiction 
of FERC. The FPA expressly reserves jurisdiction over 
distribution facilities to the states.
    o The regulation of the distribution system is imbued with 
a number of local economic and political issues that are best 
handled at the local level, not the federal level.
    o FERC is not as familiar and will never be as familiar as 
the individual states are with the structure and design of the 
local distribution system in their states.
    o State PUCs and other state/local regulatory authorities 
have traditionally dealt with distribution service reliability 
issues. These authorities best understand local distribution 
system characteristics and conditions, which differ 
substantially from those of the bulk power system. Local 
distributions systems vary widely in their specific 
configurations and designs, making utilities and state/local 
officials best positioned to take protective steps when 
necessary.
     When comparing the bulk power system to the 
distribution system, it is important to understand several 
distinctions.
    o An incident on the bulk power system can potentially 
impact a larger geographical area and a corresponding potential 
larger number of consumers. An incident on the distribution 
system impacts a smaller area and a lesser number of consumers. 
That means protection of the bulk power system is a higher 
priority for the electric utility industry, and that the 
distribution system will pose a much lower priority target.
    o Distribution facilities are typically quicker and easier 
to restore than bulk power system facilities. A distribution 
circuit can often be easily restored merely by replacing a 
single failed element and then re-energizing the circuit. 
Restoring the bulk power system, however, is much more 
complicated. Because of the large number of components and 
integrated network nature of the bulk power system, it can 
require significant regional coordination and considerable time 
for re-energizing.
    o Many distribution system elements are not automated/
controlled remotely with programmable devices and therefore not 
necessarily vulnerable to cyber issues.
    o The distribution system is separated from the bulk power 
system through protection protocols and equipment.
     Distribution circuits fail without any cyber 
attacks. Automobile accidents and animal-related interruptions 
are some of the most common causes of outages and they cannot 
be completely prevented. Utilities have a long history of 
successfully demonstrating that they are well-prepared to 
respond to these and other incidents on their distribution 
system.
     Because of these differences, the distribution 
system does not require the same level of protection as the 
bulk power system.
    o Where an uncontrolled failure of the bulk power system 
can potentially lead to a ``cascading'' failure potentially 
affecting a large number of consumers, an uncontrolled failure 
of a distribution circuit is unlikely to affect a large number 
of consumers and is limited to those consumers on a particular 
distribution circuit.
    o Distribution circuits are seldom material to the 
reliability of the bulk power system and, when they are 
material, they currently fall within the definition of the bulk 
power system.
     Accordingly, with the preceding information being 
understood, it is not necessary or appropriate, and can in fact 
be disruptive, for distribution facilities to be addressed in a 
similar manner as bulk power system facilities.
    Question No. 2: This Congress has heard hours of testimony 
on some pressing grid issues and some promising grid solutions, 
including those centered around ``smart grid'' technology. Your 
testimony reported that in 2006, cooperatives lead the industry 
in installation of smart meters. Moreover, you offered 
testimony regarding the need to ensure that whatever grid 
solutions we implement in the smart grid realm appropriately 
capture cyber security protections. I am glad to hear both the 
progress demonstrated by the cooperatives with smart grid 
initiatives and the industry's recognition of the importance of 
integrating policy, practice and technology in this emerging 
field. Can you provide me with specific examples of how the 
industry is working toward the goal of ensuring appropriate 
integration in the field of smart grid technology? If not, can 
you explain why not and what would need to happen to have a 
more integrated approach pursued?
    Response:
     ``Smart Grid'' technology often uses the internet 
and other automated equipment. Therefore, it is potentially 
vulnerable to cyber issues. Implementation of this technology 
should always include cyber protection related to the 
equipment/devices that are being utilized.
     Cyber security should be a part of an entity's due 
diligence when considering the use of such technology. I 
understand that this is addressed by entities when they 
consider using ``smart grid'' technology.

                                 

